Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eN0ONo7Zrw.exe

Overview

General Information

Sample Name:eN0ONo7Zrw.exe
Original Sample Name:9f88b9ae0fe7903ba4f24f0ed5de67c5.exe
Analysis ID:1309438
MD5:9f88b9ae0fe7903ba4f24f0ed5de67c5
SHA1:ba2c2442644473bfec02e9c05abf9992e011a14e
SHA256:56f15cf68dbe3cb2e751a5b82b206ce127695ce63c31c442773d45cdbd89b496
Tags:exe
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Machine Learning detection for dropped file
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops files with a non-matching file extension (content does not match file extension)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
File is packed with WinRar
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • eN0ONo7Zrw.exe (PID: 7124 cmdline: C:\Users\user\Desktop\eN0ONo7Zrw.exe MD5: 9F88B9AE0FE7903BA4F24F0ED5DE67C5)
    • control.exe (PID: 6164 cmdline: "C:\Windows\System32\control.exe" "C:\Users\user\AppData\Local\Temp\0C6L3.cPl", MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
      • rundll32.exe (PID: 6228 cmdline: "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl", MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • rundll32.exe (PID: 6308 cmdline: C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl", MD5: 73C519F050C20580F8A62C849D49215A)
          • rundll32.exe (PID: 6328 cmdline: "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\user\AppData\Local\Temp\0C6L3.cPl", MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: eN0ONo7Zrw.exeReversingLabs: Detection: 42%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\0C6L3.cplReversingLabs: Detection: 28%
Machine Learning detection for sample
Source: eN0ONo7Zrw.exeJoe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\0C6L3.cplJoe Sandbox ML: detected
Source: eN0ONo7Zrw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: eN0ONo7Zrw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: .PdB- source: 0C6L3.cpl
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: eN0ONo7Zrw.exe
Source: Binary string: xLhH#tu@9B0OCZRwSC.pdb source: 0C6L3.cpl
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01352C15 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_01352C15
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01362D90 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_01362D90
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01371758 FindFirstFileExA,0_2_01371758
Source: eN0ONo7Zrw.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0135B79D0_2_0135B79D
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_013738500_2_01373850
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01355AFD0_2_01355AFD
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0135C42B0_2_0135C42B
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01373CFE0_2_01373CFE
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0136B4FD0_2_0136B4FD
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_013554DD0_2_013554DD
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01354F3C0_2_01354F3C
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0136B72C0_2_0136B72C
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01377E040_2_01377E04
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C1F542_2_047C1F54
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C2B7C2_2_047C2B7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C2F382_2_047C2F38
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C26E82_2_047C26E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C25D42_2_047C25D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C45112_2_047C4511
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_047C10002_2_047C1000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E55B02_2_048E55B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E5D332_2_048E5D33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E82602_2_048E8260
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E7F702_2_048E7F70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E89902_2_048E8990
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E12C02_2_048E12C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E10502_2_048E1050
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04741F544_2_04741F54
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04742B7C4_2_04742B7C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04742F384_2_04742F38
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047426E84_2_047426E8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047425D44_2_047425D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047445114_2_04744511
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047410004_2_04741000
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048655B04_2_048655B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04865D334_2_04865D33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048682604_2_04868260
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04867F704_2_04867F70
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048689904_2_04868990
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048612C04_2_048612C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048610504_2_04861050
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: String function: 01365690 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E5D33 NtCreateThreadEx,2_2_048E5D33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04865D33 NtCreateThreadEx,4_2_04865D33
Source: eN0ONo7Zrw.exe, 00000000.00000003.236578796.00000000036C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs eN0ONo7Zrw.exe
Source: eN0ONo7Zrw.exe, 00000000.00000003.236606329.00000000036C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs eN0ONo7Zrw.exe
Source: eN0ONo7Zrw.exe, 00000000.00000003.236600715.0000000003701000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs eN0ONo7Zrw.exe
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeSection loaded: dxgidebug.dllJump to behavior
Source: 0C6L3.cpl.0.drStatic PE information: Section: 4E7 ZLIB complexity 0.9976371765136719
Source: 0C6L3.cpl.0.drStatic PE information: Section: .crt0 ZLIB complexity 0.9994577700725655
Source: eN0ONo7Zrw.exeReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeFile read: C:\Users\user\Desktop\eN0ONo7Zrw.exeJump to behavior
Source: eN0ONo7Zrw.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\eN0ONo7Zrw.exe C:\Users\user\Desktop\eN0ONo7Zrw.exe
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\System32\control.exe" "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\System32\control.exe" "C:\Users\user\AppData\Local\Temp\0C6L3.cPl", Jump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",Jump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6254406Jump to behavior
Source: classification engineClassification label: mal64.winEXE@9/1@0/0
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01351891 GetLastError,FormatMessageW,0_2_01351891
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_013611D2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_013611D2
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCommand line argument: sfxname0_2_01364968
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCommand line argument: sfxstime0_2_01364968
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCommand line argument: STARTDLG0_2_01364968
Source: eN0ONo7Zrw.exeStatic file information: File size 2834755 > 1048576
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: eN0ONo7Zrw.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: eN0ONo7Zrw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: .PdB- source: 0C6L3.cpl
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: eN0ONo7Zrw.exe
Source: Binary string: xLhH#tu@9B0OCZRwSC.pdb source: 0C6L3.cpl
Source: eN0ONo7Zrw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eN0ONo7Zrw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eN0ONo7Zrw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eN0ONo7Zrw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eN0ONo7Zrw.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01366260 push ecx; ret 0_2_01366273
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01365668 push eax; ret 0_2_01365686
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_048E1810 push esi; mov dword ptr [esp], 80B9FF70h2_2_048E1811
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04861810 push esi; mov dword ptr [esp], 80B9FF70h4_2_04861811
Source: eN0ONo7Zrw.exeStatic PE information: section name: .didat
Source: 0C6L3.cpl.0.drStatic PE information: section name: 4E7
Source: 0C6L3.cpl.0.drStatic PE information: section name: CRT
Source: 0C6L3.cpl.0.drStatic PE information: section name: .crt0
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6254406Jump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeFile created: C:\Users\user\AppData\Local\Temp\0C6L3.cplJump to dropped file
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeFile created: C:\Users\user\AppData\Local\Temp\0C6L3.cplJump to dropped file
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_013650C6 VirtualQuery,GetSystemInfo,0_2_013650C6
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01352C15 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_01352C15
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01362D90 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_01362D90
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01371758 FindFirstFileExA,0_2_01371758
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeAPI call chain: ExitProcess graph end nodegraph_0-23000
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0136A24F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0136A24F
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01372440 GetProcessHeap,0_2_01372440
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0136E3C2 mov eax, dword ptr fs:[00000030h]0_2_0136E3C2
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01366195 SetUnhandledExceptionFilter,0_2_01366195
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_013663EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_013663EA
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_0136A24F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0136A24F
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01365FF2 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01365FF2
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\System32\control.exe" "C:\Users\user\AppData\Local\Temp\0C6L3.cPl", Jump to behavior
Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",Jump to behavior
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_01361B15
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01356B0D cpuid 0_2_01356B0D
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01364968 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_01364968
Source: C:\Users\user\Desktop\eN0ONo7Zrw.exeCode function: 0_2_01352D8E GetVersionExW,0_2_01352D8E

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory12
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
Obfuscated Files or Information		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Rundll32		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common2
Software Packing		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
DLL Side-Loading		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1309438 Sample: eN0ONo7Zrw.exe Startdate: 16/09/2023 Architecture: WINDOWS Score: 64 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 28 Machine Learning detection for dropped file 2->28 9 eN0ONo7Zrw.exe 3 8 2->9         started        process3 file4 20 C:\Users\user\AppData\Local\Temp\0C6L3.cpl, PE32 9->20 dropped 12 control.exe 1 9->12         started        process5 process6 14 rundll32.exe 12->14         started        process7 16 rundll32.exe 14->16         started        process8 18 rundll32.exe 16->18         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
eN0ONo7Zrw.exe42%ReversingLabsWin32.Trojan.Uztuby
eN0ONo7Zrw.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\0C6L3.cpl100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\0C6L3.cpl29%ReversingLabsWin32.Dropper.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:38.0.0 Beryl
Analysis ID:1309438
Start date and time:2023-09-16 13:48:08 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 12s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:eN0ONo7Zrw.exe
Original Sample Name:9f88b9ae0fe7903ba4f24f0ed5de67c5.exe
Detection:MAL
Classification:mal64.winEXE@9/1@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 120
  • Number of non-executed functions: 69
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Created / dropped Files

C:\Users\user\AppData\Local\Temp\0C6L3.cpl

Download File
Process:C:\Users\user\Desktop\eN0ONo7Zrw.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):2846720
Entropy (8bit):7.907946029142491
Encrypted:false
SSDEEP:49152:f9voilHbQqe8rxSHpn1erjTYzz5YOfXemLgrEpjz7sEKFd:TqDAxOerj0HfJpnobd
MD5:1520885263BE005F93DD29C815D60512
SHA1:9D71042E013D116D6072E91695EF181740D3E6FC
SHA-256:6B08E4C932E76CED158B8D474B57327597C3889F519F5CFE96BB7D07F67C6E2B
SHA-512:D393416274F095ED614632D2D6F6A4D0666329030304B310C331F4921A97D646A08DB8523E654436543865E0EDCB5789B7F8F2952EA0B867E2521E65478316F8
Malicious:true
Antivirus:
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: ReversingLabs, Detection: 29%
Reputation:low
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:.S.[m..[m..[m..,..Q[m...l..Zm.....[m.O...&Zm..[l..[m.a...Zm.....^Zm...l..[m..,...Zm......[m.....Y[m.....[m.....[m.....M[m...l.@Zm.."...Zm.."...[m..#..@Zm.....`Zm..-...[m.....EZm.O....Zm..#..PZm...h..Zm...o.7[m.Rich.[m.................................................................................PE..L..._..e...........!......... ...............@................................+.......+.................................Y...,........`*......................p*.X.......8............................................................................text...7u.......................... ..`.rdata..s...........................e..@.data...............................@...4E7..........@.......0..............@...CRT.....|j...@...p...0..............@....crt0..."...........................@....rsrc........`*......P*................@.reloc..R....p*......`*.............@..B

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.9629842152105175
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:eN0ONo7Zrw.exe
File size:2'834'755 bytes
MD5:9f88b9ae0fe7903ba4f24f0ed5de67c5
SHA1:ba2c2442644473bfec02e9c05abf9992e011a14e
SHA256:56f15cf68dbe3cb2e751a5b82b206ce127695ce63c31c442773d45cdbd89b496
SHA512:ed0201d431777db69d1838e1303ba17c234dd1a11d114373996150b9c7ae55f849f383b8b0a3a75411ef378a1ca906e3777e7e0478c5db6fae73fe84a4d53039
SSDEEP:49152:acbz6gQjfbaqO2L9SH1Vrg5RHkzx5YDuHfhemBaREzjVfsMMd1zD:acbPQCRS9Wg5REOuHf9zBEn13
TLSH:EDD5233176C28675E46329324BA59636BF7C7C700722CADB23581E5E8FB42C1A9347B7
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=LF.S.F.S.F.S..$..K.S..$....S..$..^.S.....D.S...W.U.S...P.Q.S...V.t.S.O...M.S.O...A.S.F.R.N.S...V.`.S...S.G.S.....G.S...Q.G.S

File Icon

Icon Hash:1515d4d4442f2d2d

Static PE Info

General

Entrypoint:0x415de0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x64C8CFB7 [Tue Aug 1 09:26:15 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:fa8d20faea9ef7b4e2b7fbfe93442593

Entrypoint Preview

Instruction
call 00007FCD587DE151h
jmp 00007FCD587DDAEDh
jmp 00007FCD587E22FFh
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FCD587DD367h
push 00431B08h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FCD587DEA8Ah
int3
push ebp
mov ebp, esp
and dword ptr [004692A8h], 00000000h
sub esp, 24h
or dword ptr [00434674h], 01h
push 0000000Ah
call dword ptr [00429170h]
test eax, eax
je 00007FCD587DDE22h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp-08h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-24h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-04h]
or eax, dword ptr [ebp-08h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FCD587DDCB5h
mov eax, dword ptr [ebp-24h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FCD587DDC95h

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x32a300x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x32a640x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x6b0000xdff8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x790000x2954.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x30e400x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2b3380x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x290000x22c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3205c0x100.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x27d0c0x27e00False0.5858946414576802data6.69415089194142IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x290000xa6e60xa800False0.4578218005952381data5.246739495724833IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x340000x35ca00x1000False0.41455078125DOS executable (block device driver w{\362ko\3050)4.160089790234222IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x6a0000x1780x200False0.4296875data3.2022535810191277IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x6b0000xdff80xe000False0.6373639787946429data6.6386075857660645IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x790000x29540x2a00False0.7797619047619048data6.703800314116885IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x6b6500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
PNG0x6c1980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
RT_ICON0x6d7480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
RT_ICON0x6dcb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
RT_ICON0x6e5580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
RT_ICON0x6f4000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
RT_ICON0x6f8680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
RT_ICON0x709100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
RT_ICON0x72eb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
RT_DIALOG0x775880x286dataEnglishUnited States0.5092879256965944
RT_DIALOG0x773580x13adataEnglishUnited States0.60828025477707
RT_DIALOG0x774980xecdataEnglishUnited States0.6991525423728814
RT_DIALOG0x772280x12edataEnglishUnited States0.5927152317880795
RT_DIALOG0x76ef00x338dataEnglishUnited States0.45145631067961167
RT_DIALOG0x76c980x252dataEnglishUnited States0.5757575757575758
RT_STRING0x77f680x1e2dataEnglishUnited States0.3900414937759336
RT_STRING0x781500x1ccdataEnglishUnited States0.4282608695652174
RT_STRING0x783200x1b8dataEnglishUnited States0.45681818181818185
RT_STRING0x784d80x146dataEnglishUnited States0.5153374233128835
RT_STRING0x786200x46cdataEnglishUnited States0.3454063604240283
RT_STRING0x78a900x166dataEnglishUnited States0.49162011173184356
RT_STRING0x78bf80x152dataEnglishUnited States0.5059171597633136
RT_STRING0x78d500x10adataEnglishUnited States0.49624060150375937
RT_STRING0x78e600xbcdataEnglishUnited States0.6329787234042553
RT_STRING0x78f200xd6dataEnglishUnited States0.5747663551401869
RT_GROUP_ICON0x76c300x68dataEnglishUnited States0.7019230769230769
RT_MANIFEST0x778100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

Imports

DLLImport
KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetTimeFormatW, GetDateFormatW, LocalFree, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, GetOEMCP, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetCommandLineA
OLEAUT32.dllVariantClear
gdiplus.dllGdipCreateBitmapFromStream, GdipAlloc, GdipCloneImage, GdipDisposeImage, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:13:48:55
Start date:16/09/2023
Path:C:\Users\user\Desktop\eN0ONo7Zrw.exe
Wow64 process (32bit):true
Commandline:C:\Users\user\Desktop\eN0ONo7Zrw.exe
Imagebase:0x1350000
File size:2'834'755 bytes
MD5 hash:9F88B9AE0FE7903BA4F24F0ED5DE67C5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:13:48:56
Start date:16/09/2023
Path:C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\control.exe" "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Imagebase:0x1140000
File size:114'688 bytes
MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:2
Start time:13:48:56
Start date:16/09/2023
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Imagebase:0xc00000
File size:61'952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:3
Start time:13:49:05
Start date:16/09/2023
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Imagebase:0x7ff6d38f0000
File size:69'632 bytes
MD5 hash:73C519F050C20580F8A62C849D49215A
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:4
Start time:13:49:05
Start date:16/09/2023
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\user\AppData\Local\Temp\0C6L3.cPl",
Imagebase:0xc00000
File size:61'952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:11.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:4.2%
    Total number of Nodes:2000
    Total number of Limit Nodes:34
    execution_graph 24272 1364c37 24274 1364c41 24272->24274 24273 1365280 ___delayLoadHelper2@8 17 API calls 24273->24274 24274->24273 23264 1371000 23267 137100b 23264->23267 23265 137131a 11 API calls 23265->23267 23266 1371034 23270 1371060 23266->23270 23267->23265 23267->23266 23268 1371030 23267->23268 23271 137108c 23270->23271 23272 137106d 23270->23272 23271->23268 23273 1371077 DeleteCriticalSection 23272->23273 23273->23271 23273->23273 23274 136490e 23275 136491b 23274->23275 23276 1354ba7 53 API calls 23275->23276 23277 1364928 23276->23277 23278 1352aa2 _swprintf 51 API calls 23277->23278 23279 136493d SetDlgItemTextW 23278->23279 23280 13620d8 5 API calls 23279->23280 23281 136495a 23280->23281 23282 136380a 23284 13638d4 23282->23284 23290 136382d 23282->23290 23283 1361e84 ExpandEnvironmentStringsW 23297 1363245 _wcslen _wcsrchr 23283->23297 23284->23297 23309 136424f 23284->23309 23286 1363ebc 23288 1357d7d CompareStringW 23288->23290 23289 1363519 SetWindowTextW 23289->23297 23290->23284 23290->23288 23292 1361ffe 76 API calls 23292->23297 23293 1352b4b 6 API calls 23293->23297 23294 1363307 SetFileAttributesW 23295 13633c1 GetFileAttributesW 23294->23295 23307 1363321 _abort _wcslen 23294->23307 23295->23297 23298 13633d3 DeleteFileW 23295->23298 23296 1352ad4 FindClose 23296->23297 23297->23283 23297->23286 23297->23289 23297->23292 23297->23293 23297->23294 23297->23296 23300 13636e3 GetDlgItem SetWindowTextW SendMessageW 23297->23300 23303 1363723 SendMessageW 23297->23303 23308 1357d7d CompareStringW 23297->23308 23334 136115d GetCurrentDirectoryW 23297->23334 23298->23297 23301 13633e4 23298->23301 23299 1353502 51 API calls 23299->23307 23300->23297 23302 1352aa2 _swprintf 51 API calls 23301->23302 23304 1363404 GetFileAttributesW 23302->23304 23303->23297 23304->23301 23305 1363419 MoveFileW 23304->23305 23305->23297 23306 1363431 MoveFileExW 23305->23306 23306->23297 23307->23295 23307->23297 23307->23299 23308->23297 23312 1364259 _abort _wcslen 23309->23312 23310 13644a7 23310->23297 23311 1364365 23315 1352780 3 API calls 23311->23315 23312->23310 23312->23311 23313 1364480 23312->23313 23335 1357d7d CompareStringW 23312->23335 23313->23310 23317 136449e ShowWindow 23313->23317 23316 136437a 23315->23316 23318 1364399 ShellExecuteExW 23316->23318 23336 1353216 23316->23336 23317->23310 23318->23310 23320 13643ac 23318->23320 23322 13643e5 WaitForInputIdle 23320->23322 23323 13643d0 IsWindowVisible 23320->23323 23324 136443b CloseHandle 23320->23324 23321 1364391 23321->23318 23326 13646d3 6 API calls 23322->23326 23323->23322 23325 13643db ShowWindow 23323->23325 23327 1364454 23324->23327 23328 1364449 23324->23328 23325->23322 23329 13643fd 23326->23329 23327->23313 23344 1357d7d CompareStringW 23328->23344 23329->23324 23331 1364410 GetExitCodeProcess 23329->23331 23331->23324 23332 1364423 23331->23332 23332->23324 23334->23297 23335->23311 23337 1353223 23336->23337 23338 1353233 GetFullPathNameW 23337->23338 23340 1353282 23337->23340 23339 1353251 23338->23339 23339->23340 23341 13535e5 GetCurrentDirectoryW 23339->23341 23340->23321 23342 1353263 23341->23342 23342->23340 23343 1353267 GetFullPathNameW 23342->23343 23343->23340 23344->23327 23345 1365608 23346 1365612 23345->23346 23347 1365280 ___delayLoadHelper2@8 17 API calls 23346->23347 23348 136561f 23347->23348 22416 136f870 22424 13711bf 22416->22424 22419 136f7e9 __dosmaperr 20 API calls 22420 136f88c 22419->22420 22421 136f899 22420->22421 22431 136f8a0 22420->22431 22423 136f884 22425 13710a8 _unexpected 5 API calls 22424->22425 22426 13711e6 22425->22426 22427 13711fe TlsAlloc 22426->22427 22428 13711ef 22426->22428 22427->22428 22429 13663dc CatchGuardHandler 5 API calls 22428->22429 22430 136f87a 22429->22430 22430->22419 22430->22423 22432 136f8b0 22431->22432 22433 136f8aa 22431->22433 22432->22423 22435 1371215 22433->22435 22436 13710a8 _unexpected 5 API calls 22435->22436 22437 137123c 22436->22437 22438 1371254 TlsFree 22437->22438 22439 1371248 22437->22439 22438->22439 22440 13663dc CatchGuardHandler 5 API calls 22439->22440 22441 1371265 22440->22441 22441->22432 22464 1351065 22465 1355753 27 API calls 22464->22465 22466 135106a 22465->22466 22469 13659c9 22466->22469 22472 136599c 22469->22472 22473 13659b2 22472->22473 22474 13659ab 22472->22474 22481 136ee1a 22473->22481 22478 136edaa 22474->22478 22477 1351074 22479 136ee1a 29 API calls 22478->22479 22480 136edbc 22479->22480 22480->22477 22484 136eb21 22481->22484 22487 136ea57 22484->22487 22486 136eb45 22486->22477 22488 136ea63 ___scrt_is_nonwritable_in_current_image 22487->22488 22495 1371041 EnterCriticalSection 22488->22495 22490 136ea71 22496 136ec69 22490->22496 22492 136ea7e 22506 136ea9c 22492->22506 22494 136ea8f _abort 22494->22486 22495->22490 22497 136ec87 22496->22497 22504 136ec7f _unexpected 22496->22504 22498 136ece0 22497->22498 22497->22504 22509 13723c3 22497->22509 22499 13723c3 29 API calls 22498->22499 22498->22504 22502 136ecf6 22499->22502 22501 136ecd6 22503 136f8ba _free 20 API calls 22501->22503 22505 136f8ba _free 20 API calls 22502->22505 22503->22498 22504->22492 22505->22504 22537 1371091 LeaveCriticalSection 22506->22537 22508 136eaa6 22508->22494 22510 13723ce 22509->22510 22511 13723f6 22510->22511 22512 13723e7 22510->22512 22513 1372405 22511->22513 22518 137561f 22511->22518 22514 136f9d2 __dosmaperr 20 API calls 22512->22514 22525 1370b17 22513->22525 22517 13723ec _abort 22514->22517 22517->22501 22519 137563f HeapSize 22518->22519 22520 137562a 22518->22520 22519->22513 22521 136f9d2 __dosmaperr 20 API calls 22520->22521 22522 137562f 22521->22522 22523 136a419 ___std_exception_copy 26 API calls 22522->22523 22524 137563a 22523->22524 22524->22513 22526 1370b24 22525->22526 22527 1370b2f 22525->22527 22529 136f9e5 __vswprintf_c_l 21 API calls 22526->22529 22528 1370b37 22527->22528 22535 1370b40 _unexpected 22527->22535 22530 136f8ba _free 20 API calls 22528->22530 22533 1370b2c 22529->22533 22530->22533 22531 1370b45 22534 136f9d2 __dosmaperr 20 API calls 22531->22534 22532 1370b6a HeapReAlloc 22532->22533 22532->22535 22533->22517 22534->22533 22535->22531 22535->22532 22536 136e06e _unexpected 7 API calls 22535->22536 22536->22535 22537->22508 22538 1365c62 22539 1365c6e ___scrt_is_nonwritable_in_current_image 22538->22539 22569 1365803 22539->22569 22541 1365c75 22542 1365dc8 22541->22542 22547 1365c9f 22541->22547 22660 1365ff2 IsProcessorFeaturePresent 22542->22660 22544 1365dcf 22545 1365dd5 22544->22545 22642 136e52c 22544->22642 22549 136e4de _abort 28 API calls 22545->22549 22548 1365cde ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22547->22548 22580 136f0cd 22547->22580 22554 1365d3f 22548->22554 22645 136e4f4 22548->22645 22551 1365ddd 22549->22551 22553 136f071 _abort 5 API calls 22553->22548 22584 136610d 22554->22584 22568 1365cbe 22570 136580c 22569->22570 22664 1365e0c IsProcessorFeaturePresent 22570->22664 22577 1365838 22577->22541 22579 1365821 22579->22541 22581 136f0e4 22580->22581 22582 13663dc CatchGuardHandler 5 API calls 22581->22582 22583 1365cb8 22582->22583 22583->22553 22583->22568 22803 1366660 22584->22803 22587 1365d45 22588 136f01e 22587->22588 22805 1371f40 22588->22805 22590 1365d4d 22593 1364968 22590->22593 22592 136f027 22592->22590 22809 13722cb 22592->22809 22964 1356be4 22593->22964 22597 1364988 23013 136181b 22597->23013 22599 1364991 _abort 22600 13649a4 GetCommandLineW 22599->22600 22601 13649b7 22600->22601 22602 1364a48 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22600->22602 23017 1363078 22601->23017 22604 1352aa2 _swprintf 51 API calls 22602->22604 22606 1364aaf SetEnvironmentVariableW GetModuleHandleW LoadIconW 22604->22606 23028 136224d LoadBitmapW 22606->23028 22607 13649c5 OpenFileMappingW 22611 13649dd MapViewOfFile 22607->22611 22612 1364a39 CloseHandle 22607->22612 22608 1364a42 23022 1364676 22608->23022 22614 1364a32 UnmapViewOfFile 22611->22614 22615 13649ee __InternalCxxFrameHandler 22611->22615 22612->22602 22614->22612 22619 1364676 2 API calls 22615->22619 22621 1364a0a 22619->22621 22623 1355971 81 API calls 22621->22623 22625 1364a1e 22623->22625 22626 1355a27 81 API calls 22625->22626 22627 1364a29 22626->22627 22627->22614 22643 136e2a9 _abort 28 API calls 22642->22643 22644 136e53d 22643->22644 22644->22545 22646 136e51c _unexpected 22645->22646 22646->22554 22647 136f765 _unexpected 38 API calls 22646->22647 22650 136f260 22647->22650 22648 136f340 _abort 38 API calls 22649 136f28a 22648->22649 22650->22648 22661 1366008 _abort 22660->22661 22662 13660b3 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 22661->22662 22663 13660fe _abort 22662->22663 22663->22544 22665 1365818 22664->22665 22666 1368ade 22665->22666 22682 1369d8c 22666->22682 22670 1368aef 22671 136581d 22670->22671 22696 1369dc8 22670->22696 22671->22579 22673 136ef57 22671->22673 22737 137246a 22673->22737 22676 1368afd 22677 1368b06 22676->22677 22678 1368b10 22676->22678 22679 1368faf ___vcrt_uninitialize_ptd 6 API calls 22677->22679 22678->22579 22680 1368b0b 22679->22680 22681 1369dc8 ___vcrt_uninitialize_locks DeleteCriticalSection 22680->22681 22681->22678 22683 1369d95 22682->22683 22685 1369dbe 22683->22685 22686 1368ae3 22683->22686 22700 136a141 22683->22700 22687 1369dc8 ___vcrt_uninitialize_locks DeleteCriticalSection 22685->22687 22686->22671 22688 1368f7c 22686->22688 22687->22686 22718 136a052 22688->22718 22691 1368f91 22691->22670 22694 1368fac 22694->22670 22697 1369df2 22696->22697 22698 1369dd3 22696->22698 22697->22671 22699 1369ddd DeleteCriticalSection 22698->22699 22699->22697 22699->22699 22705 1369f67 22700->22705 22703 136a179 InitializeCriticalSectionAndSpinCount 22704 136a164 22703->22704 22704->22683 22706 1369f84 22705->22706 22710 1369f88 22705->22710 22706->22703 22706->22704 22707 1369ff0 GetProcAddress 22707->22706 22709 1369ffe 22707->22709 22709->22706 22710->22706 22710->22707 22711 1369fe1 22710->22711 22713 136a007 LoadLibraryExW 22710->22713 22711->22707 22712 1369fe9 FreeLibrary 22711->22712 22712->22707 22714 136a04e 22713->22714 22715 136a01e GetLastError 22713->22715 22714->22710 22715->22714 22716 136a029 ___vcrt_FlsFree 22715->22716 22716->22714 22717 136a03f LoadLibraryExW 22716->22717 22717->22710 22719 1369f67 ___vcrt_FlsFree 5 API calls 22718->22719 22720 136a06c 22719->22720 22721 136a085 TlsAlloc 22720->22721 22722 1368f86 22720->22722 22722->22691 22723 136a103 22722->22723 22724 1369f67 ___vcrt_FlsFree 5 API calls 22723->22724 22725 136a11d 22724->22725 22726 136a138 TlsSetValue 22725->22726 22727 1368f9f 22725->22727 22726->22727 22727->22694 22728 1368faf 22727->22728 22729 1368fbf 22728->22729 22730 1368fb9 22728->22730 22729->22691 22732 136a08d 22730->22732 22733 1369f67 ___vcrt_FlsFree 5 API calls 22732->22733 22734 136a0a7 22733->22734 22735 136a0bf TlsFree 22734->22735 22736 136a0b3 22734->22736 22735->22736 22736->22729 22738 1372487 22737->22738 22739 1372483 22737->22739 22738->22739 22743 1370a50 22738->22743 22740 13663dc CatchGuardHandler 5 API calls 22739->22740 22741 136582a 22740->22741 22741->22577 22741->22676 22744 1370a5c ___scrt_is_nonwritable_in_current_image 22743->22744 22755 1371041 EnterCriticalSection 22744->22755 22746 1370a63 22756 1372938 22746->22756 22748 1370a72 22749 1370a81 22748->22749 22769 13708d9 GetStartupInfoW 22748->22769 22780 1370a9d 22749->22780 22754 1370a92 _abort 22754->22738 22755->22746 22757 1372944 ___scrt_is_nonwritable_in_current_image 22756->22757 22758 1372951 22757->22758 22759 1372968 22757->22759 22760 136f9d2 __dosmaperr 20 API calls 22758->22760 22783 1371041 EnterCriticalSection 22759->22783 22762 1372956 22760->22762 22763 136a419 ___std_exception_copy 26 API calls 22762->22763 22764 1372960 _abort 22763->22764 22764->22748 22765 13729a0 22791 13729c7 22765->22791 22767 1372974 22767->22765 22784 1372889 22767->22784 22770 13708f6 22769->22770 22771 1370988 22769->22771 22770->22771 22772 1372938 27 API calls 22770->22772 22775 137098f 22771->22775 22773 137091f 22772->22773 22773->22771 22774 137094d GetFileType 22773->22774 22774->22773 22779 1370996 22775->22779 22776 13709d9 GetStdHandle 22776->22779 22777 1370a41 22777->22749 22778 13709ec GetFileType 22778->22779 22779->22776 22779->22777 22779->22778 22802 1371091 LeaveCriticalSection 22780->22802 22782 1370aa4 22782->22754 22783->22767 22785 1371546 _unexpected 20 API calls 22784->22785 22787 137289b 22785->22787 22786 13728a8 22788 136f8ba _free 20 API calls 22786->22788 22787->22786 22794 137131a 22787->22794 22790 13728fa 22788->22790 22790->22767 22801 1371091 LeaveCriticalSection 22791->22801 22793 13729ce 22793->22764 22795 13710a8 _unexpected 5 API calls 22794->22795 22796 1371341 22795->22796 22797 137135f InitializeCriticalSectionAndSpinCount 22796->22797 22798 137134a 22796->22798 22797->22798 22799 13663dc CatchGuardHandler 5 API calls 22798->22799 22800 1371376 22799->22800 22800->22787 22801->22793 22802->22782 22804 1366120 GetStartupInfoW 22803->22804 22804->22587 22806 1371f52 22805->22806 22807 1371f49 22805->22807 22806->22592 22812 1371e37 22807->22812 22961 1372272 22809->22961 22813 136f765 _unexpected 38 API calls 22812->22813 22814 1371e44 22813->22814 22815 1371f5e __cftof 38 API calls 22814->22815 22816 1371e4c 22815->22816 22832 1371bcb 22816->22832 22819 1371e63 22819->22806 22820 136f9e5 __vswprintf_c_l 21 API calls 22821 1371e74 22820->22821 22827 1371ea6 22821->22827 22839 1372000 22821->22839 22824 136f8ba _free 20 API calls 22824->22819 22825 1371ea1 22826 136f9d2 __dosmaperr 20 API calls 22825->22826 22826->22827 22827->22824 22828 1371eea 22828->22827 22849 1371aa1 22828->22849 22829 1371ebe 22829->22828 22830 136f8ba _free 20 API calls 22829->22830 22830->22828 22833 136ab99 __cftof 38 API calls 22832->22833 22834 1371bdd 22833->22834 22835 1371bfe 22834->22835 22836 1371bec GetOEMCP 22834->22836 22837 1371c15 22835->22837 22838 1371c03 GetACP 22835->22838 22836->22837 22837->22819 22837->22820 22838->22837 22840 1371bcb 40 API calls 22839->22840 22841 137201f 22840->22841 22844 1372070 IsValidCodePage 22841->22844 22846 1372026 22841->22846 22848 1372095 _abort 22841->22848 22842 13663dc CatchGuardHandler 5 API calls 22843 1371e99 22842->22843 22843->22825 22843->22829 22845 1372082 GetCPInfo 22844->22845 22844->22846 22845->22846 22845->22848 22846->22842 22852 1371ca3 GetCPInfo 22848->22852 22925 1371a5e 22849->22925 22853 1371d87 22852->22853 22858 1371cdd 22852->22858 22855 13663dc CatchGuardHandler 5 API calls 22853->22855 22857 1371e33 22855->22857 22857->22846 22862 1372d98 22858->22862 22861 1370f91 __vswprintf_c_l 43 API calls 22861->22853 22863 136ab99 __cftof 38 API calls 22862->22863 22864 1372db8 MultiByteToWideChar 22863->22864 22866 1372df6 22864->22866 22867 1372e8e 22864->22867 22870 136f9e5 __vswprintf_c_l 21 API calls 22866->22870 22873 1372e17 _abort __vsnwprintf_l 22866->22873 22868 13663dc CatchGuardHandler 5 API calls 22867->22868 22871 1371d3e 22868->22871 22869 1372e88 22881 1370fdc 22869->22881 22870->22873 22876 1370f91 22871->22876 22873->22869 22874 1372e5c MultiByteToWideChar 22873->22874 22874->22869 22875 1372e78 GetStringTypeW 22874->22875 22875->22869 22877 136ab99 __cftof 38 API calls 22876->22877 22878 1370fa4 22877->22878 22885 1370d74 22878->22885 22882 1370ff9 22881->22882 22883 1370fe8 22881->22883 22882->22867 22883->22882 22884 136f8ba _free 20 API calls 22883->22884 22884->22882 22886 1370d8f __vswprintf_c_l 22885->22886 22887 1370db5 MultiByteToWideChar 22886->22887 22888 1370ddf 22887->22888 22889 1370f69 22887->22889 22892 136f9e5 __vswprintf_c_l 21 API calls 22888->22892 22895 1370e00 __vsnwprintf_l 22888->22895 22890 13663dc CatchGuardHandler 5 API calls 22889->22890 22891 1370f7c 22890->22891 22891->22861 22892->22895 22893 1370eb5 22897 1370fdc __freea 20 API calls 22893->22897 22894 1370e49 MultiByteToWideChar 22894->22893 22896 1370e62 22894->22896 22895->22893 22895->22894 22912 137137c 22896->22912 22897->22889 22913 13710a8 _unexpected 5 API calls 22912->22913 22914 13713a3 22913->22914 22917 13713ac 22914->22917 22920 1371404 22914->22920 22926 1371a6a ___scrt_is_nonwritable_in_current_image 22925->22926 22933 1371041 EnterCriticalSection 22926->22933 22928 1371a74 22934 1371ac9 22928->22934 22932 1371a8d _abort 22933->22928 22946 13721f1 22934->22946 22936 1371b17 22937 13721f1 __vswprintf_c_l 26 API calls 22936->22937 22938 1371b33 22937->22938 22939 13721f1 __vswprintf_c_l 26 API calls 22938->22939 22940 1371b51 22939->22940 22941 136f8ba _free 20 API calls 22940->22941 22942 1371a81 22940->22942 22941->22942 22943 1371a95 22942->22943 22960 1371091 LeaveCriticalSection 22943->22960 22945 1371a9f 22945->22932 22947 1372202 22946->22947 22955 13721fe __InternalCxxFrameHandler 22946->22955 22948 1372209 22947->22948 22952 137221c _abort 22947->22952 22949 136f9d2 __dosmaperr 20 API calls 22948->22949 22950 137220e 22949->22950 22951 136a419 ___std_exception_copy 26 API calls 22950->22951 22951->22955 22953 1372253 22952->22953 22954 137224a 22952->22954 22952->22955 22953->22955 22957 136f9d2 __dosmaperr 20 API calls 22953->22957 22956 136f9d2 __dosmaperr 20 API calls 22954->22956 22955->22936 22958 137224f 22956->22958 22957->22958 22959 136a419 ___std_exception_copy 26 API calls 22958->22959 22959->22955 22960->22945 22962 136ab99 __cftof 38 API calls 22961->22962 22963 1372286 22962->22963 22963->22592 22965 1365690 22964->22965 22966 1356bee GetModuleHandleW 22965->22966 22967 1356c09 GetProcAddress 22966->22967 22968 1356c68 22966->22968 22970 1356c22 22967->22970 22971 1356c3a GetProcAddress 22967->22971 22969 1356f95 GetModuleFileNameW 22968->22969 23070 136dbcd 22968->23070 22980 1356fb3 22969->22980 22970->22971 22972 1356c4c 22971->22972 22972->22968 22975 1356ee0 GetModuleFileNameW CreateFileW 22976 1356f10 SetFilePointer 22975->22976 22977 1356f89 CloseHandle 22975->22977 22976->22977 22978 1356f1e ReadFile 22976->22978 22977->22969 22978->22977 22981 1356f3c 22978->22981 22979 1352d8e GetVersionExW 22979->22980 22980->22979 22982 1356b9c 2 API calls 22980->22982 22983 1357015 GetFileAttributesW 22980->22983 22984 1356fde CompareStringW 22980->22984 22985 135702d 22980->22985 22981->22977 22986 1356b9c 2 API calls 22981->22986 22982->22980 22983->22980 22983->22985 22984->22980 22987 1357038 22985->22987 22989 135706d 22985->22989 22986->22981 22990 1357051 GetFileAttributesW 22987->22990 22992 1357069 22987->22992 22988 135717c 23012 136115d GetCurrentDirectoryW 22988->23012 22989->22988 22991 1352d8e GetVersionExW 22989->22991 22990->22987 22990->22992 22993 1357087 22991->22993 22992->22989 22994 13570f4 22993->22994 22995 135708e 22993->22995 22996 1352aa2 _swprintf 51 API calls 22994->22996 22997 1356b9c 2 API calls 22995->22997 22998 135711c AllocConsole 22996->22998 22999 1357098 22997->22999 23000 1357174 ExitProcess 22998->23000 23001 1357129 GetCurrentProcessId AttachConsole 22998->23001 23002 1356b9c 2 API calls 22999->23002 23074 136a203 23001->23074 23004 13570a2 23002->23004 23006 1354ba7 53 API calls 23004->23006 23005 135714a GetStdHandle WriteConsoleW Sleep FreeConsole 23005->23000 23007 13570bd 23006->23007 23008 1352aa2 _swprintf 51 API calls 23007->23008 23009 13570d0 23008->23009 23010 1354ba7 53 API calls 23009->23010 23011 13570df 23010->23011 23011->23000 23012->22597 23014 1356b9c 2 API calls 23013->23014 23015 136182f OleInitialize 23014->23015 23016 1361852 GdiplusStartup SHGetMalloc 23015->23016 23016->22599 23018 1363082 23017->23018 23019 1363198 23018->23019 23020 1357d6e CharUpperW 23018->23020 23021 1355a27 81 API calls 23018->23021 23019->22607 23019->22608 23020->23018 23021->23018 23023 1365690 23022->23023 23024 1364683 SetEnvironmentVariableW 23023->23024 23026 13646a6 23024->23026 23025 13646ce 23025->22602 23026->23025 23027 13646c2 SetEnvironmentVariableW 23026->23027 23027->23025 23029 136226e 23028->23029 23030 136227b GetObjectW 23028->23030 23125 13611d2 FindResourceW 23029->23125 23032 136228a 23030->23032 23034 13610d6 4 API calls 23032->23034 23035 136229d 23034->23035 23036 13622e0 23035->23036 23037 13622bc 23035->23037 23039 13611d2 12 API calls 23035->23039 23047 1353fd2 23036->23047 23038 1361115 4 API calls 23037->23038 23040 13622c4 23038->23040 23041 13622ad 23039->23041 23043 13610f4 4 API calls 23040->23043 23041->23037 23042 13622b3 DeleteObject 23041->23042 23042->23037 23044 13622cd 23043->23044 23045 136131c 8 API calls 23044->23045 23046 13622d4 DeleteObject 23045->23046 23046->23036 23147 1353ff7 23047->23147 23071 136dbe6 __vsnwprintf_l 23070->23071 23076 136d20f 23071->23076 23075 136a20b 23074->23075 23075->23005 23075->23075 23077 136c212 __vsnwprintf_l 26 API calls 23076->23077 23080 136d221 23077->23080 23078 136d25c 23081 136ab99 __cftof 38 API calls 23078->23081 23079 136d236 23082 136f9d2 __dosmaperr 20 API calls 23079->23082 23080->23078 23080->23079 23093 1356ed5 23080->23093 23086 136d268 23081->23086 23083 136d23b 23082->23083 23085 136a419 ___std_exception_copy 26 API calls 23083->23085 23085->23093 23087 136d297 23086->23087 23094 136db9a 23086->23094 23090 136d303 23087->23090 23101 136db1c 23087->23101 23088 136db1c __vsnwprintf_l 26 API calls 23091 136d3ca __vswprintf_c_l 23088->23091 23090->23088 23092 136f9d2 __dosmaperr 20 API calls 23091->23092 23091->23093 23092->23093 23093->22969 23093->22975 23095 136dba6 23094->23095 23096 136dbbc 23094->23096 23095->23096 23098 136dbae 23095->23098 23116 136db70 23096->23116 23107 1370c05 23098->23107 23099 136dbba 23099->23086 23102 136db40 23101->23102 23103 136db2c 23101->23103 23102->23090 23103->23102 23104 136f9d2 __dosmaperr 20 API calls 23103->23104 23105 136db35 23104->23105 23106 136a419 ___std_exception_copy 26 API calls 23105->23106 23106->23102 23108 136ab99 __cftof 38 API calls 23107->23108 23109 1370c26 23108->23109 23110 1370c30 23109->23110 23111 1370d3b __fassign 38 API calls 23109->23111 23112 13663dc CatchGuardHandler 5 API calls 23110->23112 23113 1370c50 23111->23113 23114 1370cd3 23112->23114 23115 1372d98 __vsnwprintf_l 42 API calls 23113->23115 23114->23099 23115->23110 23117 136db89 23116->23117 23119 136db7c 23116->23119 23120 1370b80 23117->23120 23119->23099 23121 136f765 _unexpected 38 API calls 23120->23121 23122 1370b8b 23121->23122 23123 136fcdd __cftof 38 API calls 23122->23123 23124 1370b9b 23123->23124 23124->23119 23126 13611f5 SizeofResource 23125->23126 23130 13612e3 23125->23130 23127 136120c LoadResource 23126->23127 23126->23130 23128 1361221 LockResource 23127->23128 23127->23130 23129 1361232 GlobalAlloc 23128->23129 23128->23130 23129->23130 23131 136124d GlobalLock 23129->23131 23130->23030 23130->23032 23132 13612dc GlobalFree 23131->23132 23133 136125c __InternalCxxFrameHandler 23131->23133 23132->23130 23134 13612d5 GlobalUnlock 23133->23134 23139 1361136 GdipAlloc 23133->23139 23134->23132 23137 13612c0 23137->23134 23138 13612aa GdipCreateHBITMAPFromBitmap 23138->23137 23140 1361155 23139->23140 23141 1361148 23139->23141 23140->23134 23140->23137 23140->23138 23143 1360ec8 23141->23143 23144 1360ef0 GdipCreateBitmapFromStream 23143->23144 23145 1360ee9 GdipCreateBitmapFromStreamICM 23143->23145 23146 1360ef5 23144->23146 23145->23146 23146->23140 23148 1354005 __EH_prolog 23147->23148 23149 1354034 GetModuleFileNameW 23148->23149 23150 1354065 23148->23150 23151 135404e 23149->23151 23152 1351ee0 6 API calls 23150->23152 23151->23150 23158 1354095 23152->23158 23153 13540c1 23193 136c830 23153->23193 23154 1351bae 80 API calls 23156 1353fde 23154->23156 23158->23153 23160 13547f1 77 API calls 23158->23160 23172 13542da 23158->23172 23160->23158 23172->23154 23194 136c869 23193->23194 23811 136f160 23812 136f16c ___scrt_is_nonwritable_in_current_image 23811->23812 23814 136f1a3 _abort 23812->23814 23819 1371041 EnterCriticalSection 23812->23819 23815 136f180 23816 13731f6 __cftof 20 API calls 23815->23816 23817 136f190 23816->23817 23820 136f1a9 23817->23820 23819->23815 23823 1371091 LeaveCriticalSection 23820->23823 23822 136f1b0 23822->23814 23823->23822 24463 1372461 24464 1372487 24463->24464 24467 1372483 24463->24467 24464->24467 24468 1370a50 31 API calls 24464->24468 24465 13663dc CatchGuardHandler 5 API calls 24466 13724e9 24465->24466 24467->24465 24468->24464 20028 1362350 20029 136235a __EH_prolog 20028->20029 20201 13511c6 20029->20201 20032 13623b1 20033 136239a 20033->20032 20037 136240b 20033->20037 20038 13623a8 20033->20038 20034 1362a8b 20285 136415e 20034->20285 20041 136249e GetDlgItemTextW 20037->20041 20047 1362421 20037->20047 20042 13623ac 20038->20042 20043 13623e8 20038->20043 20039 1362aa6 SendMessageW 20040 1362ab4 20039->20040 20044 1362ace GetDlgItem SendMessageW 20040->20044 20045 1362abd SendDlgItemMessageW 20040->20045 20041->20043 20046 13624db 20041->20046 20042->20032 20048 1354ba7 53 API calls 20042->20048 20043->20032 20050 13624cf EndDialog 20043->20050 20303 136115d GetCurrentDirectoryW 20044->20303 20045->20044 20051 13624f0 GetDlgItem 20046->20051 20199 13624e4 20046->20199 20052 1354ba7 53 API calls 20047->20052 20053 13623cb 20048->20053 20050->20032 20055 1362527 SetFocus 20051->20055 20056 1362504 SendMessageW SendMessageW 20051->20056 20057 136243e SetDlgItemTextW 20052->20057 20315 1351100 SHGetMalloc 20053->20315 20054 1362afe GetDlgItem 20059 1362b21 SetWindowTextW 20054->20059 20060 1362b1b 20054->20060 20061 1362537 20055->20061 20062 1362543 20055->20062 20056->20055 20063 1362449 20057->20063 20304 13616c0 GetClassNameW 20059->20304 20060->20059 20067 1354ba7 53 API calls 20061->20067 20079 1354ba7 53 API calls 20062->20079 20063->20032 20070 1362456 GetMessageW 20063->20070 20064 13623d2 20064->20032 20071 1362d6d SetDlgItemTextW 20064->20071 20065 13629d1 20068 1354ba7 53 API calls 20065->20068 20093 1362541 20067->20093 20072 13629e1 SetDlgItemTextW 20068->20072 20070->20032 20074 136246d IsDialogMessageW 20070->20074 20071->20032 20077 13629f5 20072->20077 20074->20063 20075 136247c TranslateMessage DispatchMessageW 20074->20075 20075->20063 20084 1354ba7 53 API calls 20077->20084 20078 1362b4a 20081 1362b61 20078->20081 20085 13631f1 96 API calls 20078->20085 20083 136257a 20079->20083 20080 136259d 20088 13625d1 20080->20088 20317 1352780 20080->20317 20082 1362b91 20081->20082 20086 1354ba7 53 API calls 20081->20086 20092 13631f1 96 API calls 20082->20092 20131 1362c49 20082->20131 20087 1352aa2 _swprintf 51 API calls 20083->20087 20119 1362a18 _wcslen 20084->20119 20085->20081 20090 1362b74 SetDlgItemTextW 20086->20090 20087->20093 20221 1352651 20088->20221 20096 1354ba7 53 API calls 20090->20096 20098 1362bac 20092->20098 20211 1363f86 20093->20211 20094 1362cfc 20099 1362d05 EnableWindow 20094->20099 20100 1362d0e 20094->20100 20104 1362b88 SetDlgItemTextW 20096->20104 20113 1362bbe 20098->20113 20130 1362be3 20098->20130 20099->20100 20101 1362d2b 20100->20101 20359 1351183 GetDlgItem EnableWindow 20100->20359 20110 1362d52 20101->20110 20120 1362d4a SendMessageW 20101->20120 20102 13625cb 20320 1361981 20102->20320 20103 1362a69 20111 1354ba7 53 API calls 20103->20111 20104->20082 20105 13625f5 20227 1361719 SetCurrentDirectoryW 20105->20227 20106 13625ea GetLastError 20106->20105 20107 1362c3c 20115 13631f1 96 API calls 20107->20115 20110->20032 20121 1354ba7 53 API calls 20110->20121 20111->20032 20344 13609f5 ShowWindow 20113->20344 20114 1362d21 20360 1351183 GetDlgItem EnableWindow 20114->20360 20115->20131 20116 1362609 20122 1362612 GetLastError 20116->20122 20123 1362620 20116->20123 20119->20103 20126 1354ba7 53 API calls 20119->20126 20120->20110 20121->20064 20122->20123 20125 1362697 20123->20125 20128 1362630 GetTickCount 20123->20128 20129 13626a6 20123->20129 20124 1362bd7 20124->20130 20125->20129 20134 13628d2 20125->20134 20132 1362a4c 20126->20132 20127 1362cda 20133 13609f5 32 API calls 20127->20133 20228 1352aa2 20128->20228 20135 13626bf GetModuleFileNameW 20129->20135 20136 136286d 20129->20136 20143 1362877 20129->20143 20130->20107 20137 13631f1 96 API calls 20130->20137 20131->20094 20131->20127 20140 1354ba7 53 API calls 20131->20140 20141 1352aa2 _swprintf 51 API calls 20132->20141 20142 1362cf9 20133->20142 20246 13511a1 GetDlgItem ShowWindow 20134->20246 20327 13558c2 20135->20327 20136->20043 20136->20143 20147 1362c11 20137->20147 20140->20131 20141->20103 20142->20094 20145 1354ba7 53 API calls 20143->20145 20150 1362881 20145->20150 20146 136264d 20231 1351c7e 20146->20231 20147->20107 20151 1362c1a DialogBoxParamW 20147->20151 20148 13628e2 20247 13511a1 GetDlgItem ShowWindow 20148->20247 20155 1352aa2 _swprintf 51 API calls 20150->20155 20151->20043 20151->20107 20153 13628ec 20248 1354ba7 20153->20248 20154 1352aa2 _swprintf 51 API calls 20156 1362709 CreateFileMappingW 20154->20156 20157 136289f 20155->20157 20161 1362767 GetCommandLineW 20156->20161 20194 13627de __InternalCxxFrameHandler 20156->20194 20169 1354ba7 53 API calls 20157->20169 20163 1362778 20161->20163 20162 1362673 20166 136267a GetLastError 20162->20166 20167 1362685 20162->20167 20331 1361f95 SHGetMalloc 20163->20331 20165 13627e9 ShellExecuteExW 20180 1362804 20165->20180 20166->20167 20239 1351bae 20167->20239 20168 1362908 SetDlgItemTextW GetDlgItem 20174 1362925 GetWindowLongW SetWindowLongW 20168->20174 20175 136293d 20168->20175 20172 13628b9 20169->20172 20174->20175 20253 13631f1 20175->20253 20177 1361f95 SHGetMalloc 20178 13627a0 20177->20178 20184 1361f95 SHGetMalloc 20178->20184 20182 1362847 20180->20182 20183 1362819 WaitForInputIdle 20180->20183 20181 13631f1 96 API calls 20186 1362959 20181->20186 20182->20136 20191 136285d UnmapViewOfFile CloseHandle 20182->20191 20187 136282e 20183->20187 20185 13627ac 20184->20185 20333 1355971 20185->20333 20277 1364512 20186->20277 20187->20182 20189 1362833 Sleep 20187->20189 20189->20182 20189->20187 20191->20136 20192 13627bd MapViewOfFile 20192->20194 20194->20165 20199->20043 20199->20065 20202 13511cf 20201->20202 20203 1351228 20201->20203 20204 1351235 20202->20204 20361 1354878 20202->20361 20383 1354851 20203->20383 20204->20032 20204->20033 20204->20034 20208 1351204 GetDlgItem 20208->20204 20209 1351214 20208->20209 20209->20204 20210 135121a SetWindowTextW 20209->20210 20210->20204 20434 13620d8 PeekMessageW 20211->20434 20214 1363fe8 SendMessageW SendMessageW 20216 1364024 20214->20216 20217 1364043 SendMessageW SendMessageW SendMessageW 20214->20217 20215 1363fb4 20218 1363fbf ShowWindow SendMessageW SendMessageW 20215->20218 20216->20217 20219 1364076 SendMessageW 20217->20219 20220 1364099 SendMessageW 20217->20220 20218->20214 20219->20220 20220->20080 20223 135265b 20221->20223 20222 13526ec 20224 1352810 8 API calls 20222->20224 20226 1352715 20222->20226 20223->20222 20223->20226 20439 1352810 20223->20439 20224->20226 20226->20105 20226->20106 20227->20116 20466 1351b14 20228->20466 20232 1351c88 20231->20232 20233 1351ce5 CreateFileW 20232->20233 20234 1351cd9 20232->20234 20233->20234 20235 13535e5 GetCurrentDirectoryW 20234->20235 20237 1351d2f 20234->20237 20236 1351d14 20235->20236 20236->20237 20238 1351d18 CreateFileW 20236->20238 20237->20162 20238->20237 20240 1351bd2 20239->20240 20245 1351be3 20239->20245 20241 1351be5 20240->20241 20242 1351bde 20240->20242 20240->20245 21080 1351c30 20241->21080 21075 1351d5e 20242->21075 20245->20125 20246->20148 20247->20153 20249 1354bb7 20248->20249 21163 1354bd8 20249->21163 20252 13511a1 GetDlgItem ShowWindow 20252->20168 20254 13631fb __EH_prolog 20253->20254 20255 136294b 20254->20255 21229 1361e84 20254->21229 20255->20181 20258 1361e84 ExpandEnvironmentStringsW 20261 1363232 _wcslen _wcsrchr 20258->20261 20259 1363519 SetWindowTextW 20259->20261 20261->20255 20261->20258 20261->20259 20264 1363307 SetFileAttributesW 20261->20264 20269 13636e3 GetDlgItem SetWindowTextW SendMessageW 20261->20269 20272 1363723 SendMessageW 20261->20272 21233 1357d7d CompareStringW 20261->21233 21234 136115d GetCurrentDirectoryW 20261->21234 21239 1352b4b 20261->21239 21243 1352ad4 20261->21243 21246 1361ffe 20261->21246 20265 13633c1 GetFileAttributesW 20264->20265 20276 1363321 _abort _wcslen 20264->20276 20265->20261 20267 13633d3 DeleteFileW 20265->20267 20267->20261 20270 13633e4 20267->20270 20269->20261 20271 1352aa2 _swprintf 51 API calls 20270->20271 20273 1363404 GetFileAttributesW 20271->20273 20272->20261 20273->20270 20274 1363419 MoveFileW 20273->20274 20274->20261 20275 1363431 MoveFileExW 20274->20275 20275->20261 20276->20261 20276->20265 21235 1353502 20276->21235 20278 136451c __EH_prolog 20277->20278 21272 1356a26 20278->21272 20280 1364543 21276 135131a 20280->21276 20286 1364168 20285->20286 22321 13610d6 20286->22321 20289 1362a91 20289->20039 20289->20040 20290 1364175 GetWindow 20290->20289 20296 1364195 20290->20296 20291 13641a2 GetClassNameW 22326 1357d7d CompareStringW 20291->22326 20293 13641c6 GetWindowLongW 20294 136422a GetWindow 20293->20294 20295 13641d6 SendMessageW 20293->20295 20294->20289 20294->20296 20295->20294 20297 13641ec GetObjectW 20295->20297 20296->20289 20296->20291 20296->20293 20296->20294 22327 1361115 20297->22327 20299 1364203 22331 13610f4 20299->22331 22335 136131c 20299->22335 20303->20054 20305 13616e1 20304->20305 20308 1361706 20304->20308 22353 1357d7d CompareStringW 20305->22353 20307 13616f4 20307->20308 20309 13616f8 FindWindowExW 20307->20309 20310 135fa07 20308->20310 20309->20308 22354 135f9a5 20310->22354 20312 135fa24 20313 1357956 MultiByteToWideChar 20312->20313 20314 135fa5a 20312->20314 20313->20314 20314->20078 20316 1351118 20315->20316 20316->20064 20318 1352792 3 API calls 20317->20318 20319 1352789 20318->20319 20319->20088 20319->20102 22379 1361c99 GetCurrentProcess 20320->22379 20322 1361996 20323 1361a2f 20322->20323 20324 1361a21 20322->20324 20326 1361a04 CreateDirectoryW 20322->20326 20323->20088 20324->20323 20325 1361a26 LocalFree 20324->20325 20325->20323 20326->20324 20328 13558e5 20327->20328 20329 13558c8 20327->20329 20328->20154 20330 135593a 81 API calls 20329->20330 20330->20328 20332 1361fb7 20331->20332 20332->20177 20334 1355989 20333->20334 20335 135597f 20333->20335 20337 13559fe GetCurrentProcessId 20334->20337 20339 13559a3 20334->20339 22383 13558fc 20335->22383 20338 13559cf 20337->20338 20338->20192 20339->20338 20340 1351853 76 API calls 20339->20340 20341 13559c6 20340->20341 20342 13519e9 76 API calls 20341->20342 20342->20338 20346 1360a1f 20344->20346 20345 1360a35 20348 1360a4d GetWindowRect 20345->20348 20350 136dc66 26 API calls 20345->20350 20346->20345 22395 136dc66 20346->22395 20351 1360a78 20348->20351 20350->20348 20352 1360b18 20351->20352 20355 1360ae0 20351->20355 20353 1360b15 20352->20353 20354 1360b1c ShowWindow 20352->20354 20353->20124 20354->20353 20355->20353 22403 136081e 20355->22403 20358 1360afe ShowWindow SetWindowTextW 20358->20353 20359->20114 20360->20101 20362 1352aa2 _swprintf 51 API calls 20361->20362 20363 13548a3 20362->20363 20386 1357b9f WideCharToMultiByte 20363->20386 20365 1354935 20392 1353dac 20365->20392 20367 135494d GetWindowRect GetClientRect 20368 1354a71 GetSystemMetrics GetWindow 20367->20368 20373 13549a5 20367->20373 20369 13511f1 20368->20369 20370 1354a92 20368->20370 20369->20204 20369->20208 20370->20369 20377 1354aa5 GetWindowRect 20370->20377 20371 1354a3c 20395 1353e2c 20371->20395 20373->20371 20374 1354a02 GetWindowLongW 20373->20374 20380 1354a2c GetWindowRect 20374->20380 20382 1354b1a GetWindow 20377->20382 20378 13548ba 20378->20365 20381 1354914 SetDlgItemTextW 20378->20381 20388 1353f80 20378->20388 20379 1354a62 SetWindowTextW 20379->20368 20380->20371 20381->20378 20382->20369 20382->20370 20384 1354875 20383->20384 20385 1354857 GetWindowLongW SetWindowLongW 20383->20385 20384->20204 20385->20384 20387 1357bcc 20386->20387 20387->20378 20389 1353f8f 20388->20389 20391 1353fa4 20388->20391 20402 136c673 20389->20402 20391->20378 20393 1353e2c 52 API calls 20392->20393 20394 1353dcf 20393->20394 20394->20367 20396 1352aa2 _swprintf 51 API calls 20395->20396 20397 1353e51 20396->20397 20398 1357b9f WideCharToMultiByte 20397->20398 20399 1353e66 20398->20399 20400 1353f80 26 API calls 20399->20400 20401 1353e77 20400->20401 20401->20368 20401->20379 20403 136c68f 20402->20403 20404 136f9d2 __dosmaperr 20 API calls 20403->20404 20407 136c6a3 20403->20407 20405 136c698 20404->20405 20410 136a419 20405->20410 20408 13663dc CatchGuardHandler 5 API calls 20407->20408 20409 136c722 20408->20409 20409->20391 20413 136a39e 20410->20413 20412 136a425 20412->20407 20414 136f7e9 __dosmaperr 20 API calls 20413->20414 20415 136a3b4 20414->20415 20416 136a413 20415->20416 20417 136a3c2 20415->20417 20424 136a446 IsProcessorFeaturePresent 20416->20424 20421 13663dc CatchGuardHandler 5 API calls 20417->20421 20419 136a418 20420 136a39e ___std_exception_copy 26 API calls 20419->20420 20422 136a425 20420->20422 20423 136a3e9 20421->20423 20422->20412 20423->20412 20425 136a451 20424->20425 20428 136a24f 20425->20428 20429 136a26b _abort 20428->20429 20430 136a297 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 20429->20430 20431 136a368 _abort 20430->20431 20432 13663dc CatchGuardHandler 5 API calls 20431->20432 20433 136a386 GetCurrentProcess TerminateProcess 20432->20433 20433->20419 20435 13620f3 GetMessageW 20434->20435 20436 136212c GetDlgItem 20434->20436 20437 1362118 TranslateMessage DispatchMessageW 20435->20437 20438 1362109 IsDialogMessageW 20435->20438 20436->20214 20436->20215 20437->20436 20438->20436 20438->20437 20440 135281d 20439->20440 20441 1352841 20440->20441 20442 1352834 CreateDirectoryW 20440->20442 20443 1352780 3 API calls 20441->20443 20442->20441 20447 1352874 20442->20447 20445 1352847 20443->20445 20444 1352887 GetLastError 20446 1352883 20444->20446 20445->20444 20452 13535e5 20445->20452 20446->20223 20447->20446 20456 1352a4b 20447->20456 20450 135285d 20450->20444 20451 1352861 CreateDirectoryW 20450->20451 20451->20444 20451->20447 20453 13535f2 _wcslen 20452->20453 20454 135369a GetCurrentDirectoryW 20453->20454 20455 135361b _wcslen 20453->20455 20454->20455 20455->20450 20464 1365690 20456->20464 20459 1352a6e 20461 13535e5 GetCurrentDirectoryW 20459->20461 20460 1352a9b 20460->20446 20462 1352a82 20461->20462 20462->20460 20463 1352a86 SetFileAttributesW 20462->20463 20463->20460 20465 1352a58 SetFileAttributesW 20464->20465 20465->20459 20465->20460 20467 1351b2b __vswprintf_c_l 20466->20467 20470 136c537 20467->20470 20473 136a5fa 20470->20473 20474 136a622 20473->20474 20475 136a63a 20473->20475 20476 136f9d2 __dosmaperr 20 API calls 20474->20476 20475->20474 20477 136a642 20475->20477 20478 136a627 20476->20478 20490 136ab99 20477->20490 20480 136a419 ___std_exception_copy 26 API calls 20478->20480 20488 136a632 20480->20488 20483 13663dc CatchGuardHandler 5 API calls 20485 1351b35 20483->20485 20485->20146 20488->20483 20491 136abb6 20490->20491 20497 136a652 20490->20497 20491->20497 20518 136f765 GetLastError 20491->20518 20493 136abd7 20538 136fcdd 20493->20538 20498 136ab64 20497->20498 20499 136ab83 __vswprintf_c_l 20498->20499 20500 136f9d2 __dosmaperr 20 API calls 20499->20500 20501 136a6ca 20500->20501 20502 136af49 20501->20502 20715 136c212 20502->20715 20504 136af6e 20505 136f9d2 __dosmaperr 20 API calls 20504->20505 20506 136af73 20505->20506 20508 136a419 ___std_exception_copy 26 API calls 20506->20508 20507 136a6d5 20515 136ac1c 20507->20515 20508->20507 20509 136af59 __vswprintf_c_l 20509->20504 20509->20507 20722 136b102 20509->20722 20729 136b9b4 20509->20729 20734 136b1ef 20509->20734 20739 136b381 20509->20739 20770 136b72c 20509->20770 20516 136f8ba _free 20 API calls 20515->20516 20517 136ac2c 20516->20517 20517->20488 20519 136f77b 20518->20519 20523 136f781 20518->20523 20521 137126b _unexpected 11 API calls 20519->20521 20520 1371546 _unexpected 20 API calls 20522 136f793 20520->20522 20521->20523 20524 136f79b 20522->20524 20526 13712c1 _unexpected 11 API calls 20522->20526 20523->20520 20525 136f7d0 SetLastError 20523->20525 20527 136f8ba _free 20 API calls 20524->20527 20525->20493 20528 136f7b0 20526->20528 20529 136f7a1 20527->20529 20528->20524 20530 136f7b7 20528->20530 20531 136f7dc SetLastError 20529->20531 20532 136f5cc _unexpected 20 API calls 20530->20532 20546 136f340 20531->20546 20534 136f7c2 20532->20534 20536 136f8ba _free 20 API calls 20534->20536 20537 136f7c9 20536->20537 20537->20525 20537->20531 20539 136abf0 20538->20539 20540 136fcf0 20538->20540 20542 136fd0a 20539->20542 20540->20539 20606 137317f 20540->20606 20543 136fd32 20542->20543 20544 136fd1d 20542->20544 20543->20497 20544->20543 20701 1371f5e 20544->20701 20557 1372626 20546->20557 20550 136f35a IsProcessorFeaturePresent 20553 136f365 20550->20553 20551 136e4de _abort 28 API calls 20554 136f382 20551->20554 20552 136f350 20552->20550 20556 136f378 20552->20556 20555 136a24f _abort 8 API calls 20553->20555 20555->20556 20556->20551 20587 1372594 20557->20587 20560 1372681 20561 137268d _unexpected 20560->20561 20562 136f7e9 __dosmaperr 20 API calls 20561->20562 20565 13726ba _abort 20561->20565 20568 13726b4 _abort 20561->20568 20562->20568 20563 1372706 20572 1372732 20565->20572 20596 1371041 EnterCriticalSection 20565->20596 20568->20563 20568->20565 20586 13726e9 20568->20586 20590 137253a 20587->20590 20589 136f345 20589->20552 20589->20560 20591 1372546 ___scrt_is_nonwritable_in_current_image 20590->20591 20592 1371041 _abort EnterCriticalSection 20591->20592 20593 1372554 20592->20593 20594 1372588 _abort LeaveCriticalSection 20593->20594 20595 137257b _abort 20594->20595 20595->20589 20596->20572 20607 137318b ___scrt_is_nonwritable_in_current_image 20606->20607 20608 136f765 _unexpected 38 API calls 20607->20608 20609 1373194 20608->20609 20610 13731e2 _abort 20609->20610 20618 1371041 EnterCriticalSection 20609->20618 20610->20539 20612 13731b2 20619 13731f6 20612->20619 20617 136f340 _abort 38 API calls 20617->20610 20618->20612 20620 1373204 __cftof 20619->20620 20622 13731c6 20619->20622 20620->20622 20626 1372f32 20620->20626 20623 13731e5 20622->20623 20700 1371091 LeaveCriticalSection 20623->20700 20625 13731d9 20625->20610 20625->20617 20628 1372fb2 20626->20628 20633 1372f48 20626->20633 20627 1373000 20694 13730a5 20627->20694 20628->20627 20630 136f8ba _free 20 API calls 20628->20630 20632 1372fd4 20630->20632 20631 1372f7b 20634 1372f9d 20631->20634 20642 136f8ba _free 20 API calls 20631->20642 20635 136f8ba _free 20 API calls 20632->20635 20633->20628 20633->20631 20637 136f8ba _free 20 API calls 20633->20637 20636 136f8ba _free 20 API calls 20634->20636 20638 1372fe7 20635->20638 20639 1372fa7 20636->20639 20641 1372f70 20637->20641 20643 136f8ba _free 20 API calls 20638->20643 20644 136f8ba _free 20 API calls 20639->20644 20640 137306e 20645 136f8ba _free 20 API calls 20640->20645 20654 1372b11 20641->20654 20647 1372f92 20642->20647 20648 1372ff5 20643->20648 20644->20628 20682 1372c0f 20647->20682 20650 137300e 20650->20640 20653 136f8ba 20 API calls _free 20650->20653 20653->20650 20655 1372b22 20654->20655 20681 1372c0b 20654->20681 20656 1372b33 20655->20656 20657 136f8ba _free 20 API calls 20655->20657 20658 1372b45 20656->20658 20659 136f8ba _free 20 API calls 20656->20659 20657->20656 20659->20658 20681->20631 20683 1372c74 20682->20683 20684 1372c1c 20682->20684 20683->20634 20685 1372c2c 20684->20685 20686 136f8ba _free 20 API calls 20684->20686 20687 1372c3e 20685->20687 20688 136f8ba _free 20 API calls 20685->20688 20686->20685 20688->20687 20695 13730b2 20694->20695 20699 13730d0 20694->20699 20696 1372cb4 __cftof 20 API calls 20695->20696 20695->20699 20697 13730ca 20696->20697 20698 136f8ba _free 20 API calls 20697->20698 20698->20699 20699->20650 20700->20625 20702 1371f6a ___scrt_is_nonwritable_in_current_image 20701->20702 20703 136f765 _unexpected 38 API calls 20702->20703 20708 1371f74 20703->20708 20705 1371ff8 _abort 20705->20543 20707 136f340 _abort 38 API calls 20707->20708 20708->20705 20708->20707 20709 136f8ba _free 20 API calls 20708->20709 20710 1371041 EnterCriticalSection 20708->20710 20711 1371fef 20708->20711 20709->20708 20710->20708 20714 1371091 LeaveCriticalSection 20711->20714 20713 1371ff6 20713->20708 20714->20713 20716 136c217 20715->20716 20717 136c22a 20715->20717 20718 136f9d2 __dosmaperr 20 API calls 20716->20718 20717->20509 20719 136c21c 20718->20719 20720 136a419 ___std_exception_copy 26 API calls 20719->20720 20721 136c227 20720->20721 20721->20509 20723 136b107 __vswprintf_c_l 20722->20723 20724 136b11e 20723->20724 20725 136f9d2 __dosmaperr 20 API calls 20723->20725 20724->20509 20726 136b110 20725->20726 20727 136a419 ___std_exception_copy 26 API calls 20726->20727 20728 136b11b 20727->20728 20728->20509 20730 136b9c5 20729->20730 20731 136b9bb 20729->20731 20730->20509 20794 136adcf 20731->20794 20735 136b1f6 20734->20735 20736 136b200 20734->20736 20737 136adcf __vswprintf_c_l 39 API calls 20735->20737 20736->20509 20738 136b1ff 20737->20738 20738->20509 20740 136b3a4 20739->20740 20741 136b38a 20739->20741 20744 136f9d2 __dosmaperr 20 API calls 20740->20744 20753 136b3d5 20740->20753 20742 136b753 20741->20742 20743 136b7be 20741->20743 20741->20753 20745 136b795 20742->20745 20747 136b75f 20742->20747 20743->20745 20749 136b804 20743->20749 20750 136b7c5 20743->20750 20746 136b3c1 20744->20746 20768 136b77a __vswprintf_c_l 20745->20768 20769 136b78e __vswprintf_c_l 20745->20769 20843 136bef6 20745->20843 20748 136a419 ___std_exception_copy 26 API calls 20746->20748 20752 136b76c 20747->20752 20759 136b7a5 20747->20759 20747->20768 20755 136b3cc 20748->20755 20857 136c0d3 20749->20857 20751 136b7ca 20750->20751 20750->20752 20751->20745 20756 136b7cf 20751->20756 20752->20768 20752->20769 20849 136bc5c 20752->20849 20753->20509 20755->20509 20760 136b7d4 20756->20760 20761 136b7e2 20756->20761 20759->20769 20829 136be5e 20759->20829 20760->20769 20833 136c0b4 20760->20833 20837 136c040 20761->20837 20763 13663dc CatchGuardHandler 5 API calls 20766 136b985 20763->20766 20766->20509 20768->20769 20860 136c35b 20768->20860 20769->20763 20771 136b753 20770->20771 20772 136b7be 20770->20772 20781 136b795 20771->20781 20782 136b75f 20771->20782 20773 136b804 20772->20773 20774 136b7c5 20772->20774 20772->20781 20777 136c0d3 __vswprintf_c_l 26 API calls 20773->20777 20775 136b7ca 20774->20775 20776 136b76c 20774->20776 20778 136b7cf 20775->20778 20775->20781 20780 136b78e __vswprintf_c_l 20776->20780 20784 136bc5c __vswprintf_c_l 48 API calls 20776->20784 20792 136b77a __vswprintf_c_l 20776->20792 20777->20792 20785 136b7d4 20778->20785 20786 136b7e2 20778->20786 20779 136b7a5 20779->20780 20789 136be5e __vswprintf_c_l 40 API calls 20779->20789 20788 13663dc CatchGuardHandler 5 API calls 20780->20788 20781->20780 20783 136bef6 __vswprintf_c_l 26 API calls 20781->20783 20781->20792 20782->20776 20782->20779 20782->20792 20783->20792 20784->20792 20785->20780 20790 136c0b4 __vswprintf_c_l 26 API calls 20785->20790 20787 136c040 __vswprintf_c_l 26 API calls 20786->20787 20787->20792 20791 136b985 20788->20791 20789->20792 20790->20792 20791->20509 20792->20780 20793 136c35b __vswprintf_c_l 40 API calls 20792->20793 20793->20780 20797 136fa5f 20794->20797 20798 136fa7a __vsnwprintf_l 20797->20798 20801 136d437 20798->20801 20802 136c212 __vsnwprintf_l 26 API calls 20801->20802 20807 136d449 20802->20807 20803 136adf8 20803->20509 20804 136d486 20805 136ab99 __cftof 38 API calls 20804->20805 20812 136d492 20805->20812 20806 136d460 20808 136f9d2 __dosmaperr 20 API calls 20806->20808 20807->20803 20807->20804 20807->20806 20809 136d465 20808->20809 20810 136a419 ___std_exception_copy 26 API calls 20809->20810 20810->20803 20813 136d4b8 20812->20813 20819 1370ba6 20812->20819 20815 136d78f 20813->20815 20823 136db44 20813->20823 20814 136db44 __vswprintf_c_l 26 API calls 20815->20814 20820 1370bbf 20819->20820 20822 1370bbb 20819->20822 20821 1370bd7 GetStringTypeW 20820->20821 20820->20822 20821->20822 20822->20812 20824 136db57 20823->20824 20825 136db6c 20823->20825 20824->20825 20825->20815 20830 136be8a __vswprintf_c_l 20829->20830 20832 136beb9 20830->20832 20864 136fa8b 20830->20864 20832->20768 20834 136c0c0 20833->20834 20835 136bef6 __vswprintf_c_l 26 API calls 20834->20835 20836 136c0d2 20835->20836 20836->20768 20841 136c055 __vswprintf_c_l 20837->20841 20838 136f9d2 __dosmaperr 20 API calls 20839 136c05e 20838->20839 20840 136a419 ___std_exception_copy 26 API calls 20839->20840 20842 136c069 20840->20842 20841->20838 20841->20842 20842->20768 20844 136bf07 __vswprintf_c_l 20843->20844 20845 136f9d2 __dosmaperr 20 API calls 20844->20845 20848 136bf31 __vswprintf_c_l 20844->20848 20846 136bf26 20845->20846 20847 136a419 ___std_exception_copy 26 API calls 20846->20847 20847->20848 20848->20768 20850 136bc78 20849->20850 20879 136a797 20850->20879 20852 136bcc5 __vswprintf_c_l 20889 1370602 20852->20889 20858 136bef6 __vswprintf_c_l 26 API calls 20857->20858 20859 136c0ea 20858->20859 20859->20768 20861 136c3bb __vswprintf_c_l 20860->20861 20862 136c36d __vswprintf_c_l 20860->20862 20861->20769 20862->20861 20863 136fa8b __fassign 40 API calls 20862->20863 20863->20862 20865 136fa9c 20864->20865 20870 136faa8 20864->20870 20866 136ab99 __cftof 38 API calls 20865->20866 20865->20870 20867 136fac8 20866->20867 20867->20870 20876 1370d3b 20867->20876 20870->20832 20871 136fb3c MultiByteToWideChar 20871->20870 20877 136ab99 __cftof 38 API calls 20876->20877 20878 136faf6 20877->20878 20878->20871 20880 136a7c2 20879->20880 20881 136a7b3 20879->20881 20883 136a7b8 20880->20883 20921 136f9e5 20880->20921 20882 136f9d2 __dosmaperr 20 API calls 20881->20882 20882->20883 20883->20852 20886 136a800 20890 1370612 20889->20890 20891 1370628 20889->20891 20893 136f9d2 __dosmaperr 20 API calls 20890->20893 20892 137063c 20891->20892 20900 1370652 __vswprintf_c_l 20891->20900 20922 136fa23 20921->20922 20926 136f9f3 _unexpected 20921->20926 20923 136f9d2 __dosmaperr 20 API calls 20922->20923 20925 136a7e9 20923->20925 20924 136fa0e RtlAllocateHeap 20924->20925 20924->20926 20925->20886 20928 136ac36 20925->20928 20926->20922 20926->20924 20931 136e06e 20926->20931 20929 136f8ba _free 20 API calls 20928->20929 20932 136e0b2 _unexpected EnterCriticalSection LeaveCriticalSection 20931->20932 20933 136e084 20932->20933 20934 13663dc CatchGuardHandler 5 API calls 20933->20934 21076 1351d67 21075->21076 21077 1351d91 21075->21077 21076->21077 21086 135272f 21076->21086 21077->20245 21081 1351c3c 21080->21081 21082 1351c5a 21080->21082 21081->21082 21084 1351c48 FindCloseChangeNotification 21081->21084 21083 1351c79 21082->21083 21094 13517fd 21082->21094 21083->20245 21084->21082 21087 1365690 21086->21087 21088 135273c DeleteFileW 21087->21088 21089 135274f 21088->21089 21090 1351d8f 21088->21090 21091 13535e5 GetCurrentDirectoryW 21089->21091 21090->20245 21092 1352763 21091->21092 21092->21090 21093 1352767 DeleteFileW 21092->21093 21093->21090 21095 1351806 21094->21095 21097 1351819 21094->21097 21100 1351684 21095->21100 21097->21083 21101 1351695 21100->21101 21109 13573d1 21101->21109 21110 13573de 21109->21110 21112 13573ed 21110->21112 21115 1357612 21110->21115 21169 1353f40 21163->21169 21166 1354bd5 SetDlgItemTextW 21166->20252 21167 1354bfb LoadStringW 21167->21166 21168 1354c12 LoadStringW 21167->21168 21168->21166 21174 1353e7c 21169->21174 21171 1353f5d 21172 1353f72 21171->21172 21173 1353f80 26 API calls 21171->21173 21172->21166 21172->21167 21173->21172 21175 1353e94 21174->21175 21181 1353f14 _strncpy 21174->21181 21176 1357b9f WideCharToMultiByte 21175->21176 21177 1353eb8 21175->21177 21176->21177 21180 1353ee9 21177->21180 21182 1354b41 21177->21182 21179 136c673 26 API calls 21179->21181 21180->21179 21181->21171 21185 1354b5b 21182->21185 21188 1354b76 21185->21188 21189 1354b8d __vswprintf_c_l 21188->21189 21192 136c513 21189->21192 21195 136a47e 21192->21195 21196 136a4a6 21195->21196 21197 136a4be 21195->21197 21198 136f9d2 __dosmaperr 20 API calls 21196->21198 21197->21196 21199 136a4c6 21197->21199 21200 136a4ab 21198->21200 21201 136ab99 __cftof 38 API calls 21199->21201 21202 136a419 ___std_exception_copy 26 API calls 21200->21202 21203 136a4d6 21201->21203 21210 136a4b6 21202->21210 21212 136ab2f 21203->21212 21204 13663dc CatchGuardHandler 5 API calls 21207 1354b57 21204->21207 21207->21180 21209 136ac1c __vswprintf_c_l 20 API calls 21209->21210 21210->21204 21213 136ab4e __vsnwprintf_l 21212->21213 21214 136f9d2 __dosmaperr 20 API calls 21213->21214 21215 136a54e 21214->21215 21216 136ae2d 21215->21216 21217 136c212 __vsnwprintf_l 26 API calls 21216->21217 21223 136ae3d __vsnwprintf_l 21217->21223 21218 136ae52 21219 136f9d2 __dosmaperr 20 API calls 21218->21219 21221 136a559 21221->21209 21223->21218 21223->21221 21224 136b989 __vsnwprintf_l 42 API calls 21223->21224 21225 136b1c7 __vsnwprintf_l 42 API calls 21223->21225 21226 136b218 __vsnwprintf_l 50 API calls 21223->21226 21227 136b0e3 __vsnwprintf_l 26 API calls 21223->21227 21228 136b4fd __vsnwprintf_l 50 API calls 21223->21228 21224->21223 21225->21223 21226->21223 21227->21223 21228->21223 21231 1361e8e 21229->21231 21230 1361f7d 21230->20261 21231->21230 21232 1361f60 ExpandEnvironmentStringsW 21231->21232 21232->21230 21233->20261 21234->20261 21236 1353517 21235->21236 21237 1352aa2 _swprintf 51 API calls 21236->21237 21238 135352e _wcslen 21236->21238 21237->21238 21238->20276 21241 1352b59 21239->21241 21240 1352c15 6 API calls 21240->21241 21241->21240 21242 1352bec 21241->21242 21242->20261 21244 1352ae6 21243->21244 21245 1352adf FindClose 21243->21245 21244->20261 21245->21244 21247 1362008 ___std_exception_copy 21246->21247 21251 1362027 _wcslen 21247->21251 21252 13518c4 21247->21252 21249 1361e84 ExpandEnvironmentStringsW 21249->21251 21250 13620c9 21250->20261 21251->21249 21251->21250 21257 13518d7 21252->21257 21265 1351667 21257->21265 21266 1351678 21265->21266 21267 13573d1 74 API calls 21266->21267 21268 1351680 21267->21268 21273 1356a33 _wcslen 21272->21273 21290 13569b0 21273->21290 21275 1356a4b 21275->20280 21291 13569c2 21290->21291 21295 1356a1a 21290->21295 21294 13569eb 21291->21294 21298 1351853 21291->21298 21294->21295 21297 13518c4 75 API calls 21294->21297 21295->21275 21297->21295 21299 1351b14 __vswprintf_c_l 51 API calls 21298->21299 21300 1351876 21299->21300 22322 13610f4 4 API calls 22321->22322 22323 13610dd 22322->22323 22324 13610e9 22323->22324 22325 1361115 4 API calls 22323->22325 22324->20289 22324->20290 22325->22324 22326->20296 22328 136111e 22327->22328 22329 1361123 22327->22329 22344 1361173 GetDC 22328->22344 22329->20299 22332 1361102 22331->22332 22333 13610fd 22331->22333 22332->20299 22334 1361173 4 API calls 22333->22334 22334->22332 22347 13611a9 GetDC GetDeviceCaps ReleaseDC 22335->22347 22337 1361324 22338 136133e GetObjectW 22337->22338 22339 1361328 22337->22339 22341 1361370 22338->22341 22348 13615de GetDC 22339->22348 22342 1361339 SendMessageW DeleteObject 22341->22342 22343 1361567 DeleteObject 22341->22343 22342->20294 22343->22342 22345 13611a7 22344->22345 22346 1361182 GetDeviceCaps GetDeviceCaps ReleaseDC 22344->22346 22345->22329 22346->22345 22347->22337 22349 13615fa GetObjectW 22348->22349 22351 1361632 ReleaseDC 22349->22351 22351->22342 22353->20307 22355 135f9af __EH_prolog 22354->22355 22362 1351ee0 22355->22362 22357 135f9d8 22358 135f9ee 22357->22358 22373 135f871 22357->22373 22360 1351bae 80 API calls 22358->22360 22361 135f9f9 22360->22361 22361->20312 22363 1351eea 22362->22363 22364 1351f4b CreateFileW 22363->22364 22365 1351f6c GetLastError 22364->22365 22368 1351fbb 22364->22368 22366 13535e5 GetCurrentDirectoryW 22365->22366 22367 1351f8c 22366->22367 22367->22368 22370 1351f90 CreateFileW GetLastError 22367->22370 22369 1351fff 22368->22369 22371 1351fe5 SetFileTime 22368->22371 22369->22357 22370->22368 22372 1351fb5 22370->22372 22371->22369 22372->22368 22374 135f880 22373->22374 22375 1351e2a 79 API calls 22374->22375 22376 135f90f __InternalCxxFrameHandler 22374->22376 22377 135f8a2 22375->22377 22376->22358 22377->22376 22378 13516d9 74 API calls 22377->22378 22378->22376 22380 1361cb5 22379->22380 22381 1361cd3 GetLastError 22380->22381 22382 1361cde ___std_exception_copy 22380->22382 22381->22382 22382->20322 22384 1355905 22383->22384 22385 1355934 22383->22385 22389 1356b9c 22384->22389 22385->20334 22388 1355915 GetProcAddress GetProcAddress 22388->22385 22390 1365690 22389->22390 22391 1356ba9 GetSystemDirectoryW 22390->22391 22392 1356bc1 22391->22392 22393 135590f 22391->22393 22394 1356bd2 LoadLibraryW 22392->22394 22393->22385 22393->22388 22394->22393 22396 136dc75 ___std_exception_copy 22395->22396 22397 136dc71 22395->22397 22398 136dca1 22396->22398 22407 1370cd7 22396->22407 22397->20345 22398->20345 22401 136a446 Concurrency::cancel_current_task 11 API calls 22402 136dcc6 22401->22402 22406 136082f _wcslen ___std_exception_copy 22403->22406 22404 13609e3 22404->20353 22404->20358 22405 1357d9f CompareStringW 22405->22406 22406->22404 22406->22405 22408 1370cf2 22407->22408 22409 1370ce4 22407->22409 22410 136f9d2 __dosmaperr 20 API calls 22408->22410 22409->22408 22411 1370d0b 22409->22411 22415 1370cfc 22410->22415 22413 136dcaf 22411->22413 22414 136f9d2 __dosmaperr 20 API calls 22411->22414 22412 136a419 ___std_exception_copy 26 API calls 22412->22413 22413->22398 22413->22401 22414->22415 22415->22412 22442 1365c50 22447 1366195 SetUnhandledExceptionFilter 22442->22447 22444 1365c55 22448 136f21a 22444->22448 22446 1365c60 22447->22444 22449 136f226 22448->22449 22450 136f240 22448->22450 22449->22450 22451 136f9d2 __dosmaperr 20 API calls 22449->22451 22450->22446 22452 136f230 22451->22452 22453 136a419 ___std_exception_copy 26 API calls 22452->22453 22454 136f23b 22453->22454 22454->22446 24478 136f650 24479 136f66b 24478->24479 24480 136f65b 24478->24480 24484 136f671 24480->24484 24483 136f8ba _free 20 API calls 24483->24479 24485 136f684 24484->24485 24486 136f68a 24484->24486 24488 136f8ba _free 20 API calls 24485->24488 24487 136f8ba _free 20 API calls 24486->24487 24489 136f696 24487->24489 24488->24486 24490 136f8ba _free 20 API calls 24489->24490 24491 136f6a1 24490->24491 24492 136f8ba _free 20 API calls 24491->24492 24493 136f6ac 24492->24493 24494 136f8ba _free 20 API calls 24493->24494 24495 136f6b7 24494->24495 24496 136f8ba _free 20 API calls 24495->24496 24497 136f6c2 24496->24497 24498 136f8ba _free 20 API calls 24497->24498 24499 136f6cd 24498->24499 24500 136f8ba _free 20 API calls 24499->24500 24501 136f6d8 24500->24501 24502 136f8ba _free 20 API calls 24501->24502 24503 136f6e3 24502->24503 24504 136f8ba _free 20 API calls 24503->24504 24505 136f6f1 24504->24505 24510 136f52c 24505->24510 24516 136f438 24510->24516 24512 136f550 24513 136f57c 24512->24513 24529 136f499 24513->24529 24515 136f5a0 24515->24483 24517 136f444 ___scrt_is_nonwritable_in_current_image 24516->24517 24524 1371041 EnterCriticalSection 24517->24524 24519 136f478 24525 136f48d 24519->24525 24521 136f44e 24521->24519 24523 136f8ba _free 20 API calls 24521->24523 24522 136f485 _abort 24522->24512 24523->24519 24524->24521 24528 1371091 LeaveCriticalSection 24525->24528 24527 136f497 24527->24522 24528->24527 24530 136f4a5 ___scrt_is_nonwritable_in_current_image 24529->24530 24537 1371041 EnterCriticalSection 24530->24537 24532 136f4af 24538 136f71a 24532->24538 24534 136f4c2 24542 136f4d8 24534->24542 24536 136f4d0 _abort 24536->24515 24537->24532 24539 136f750 __cftof 24538->24539 24540 136f729 __cftof 24538->24540 24539->24534 24540->24539 24541 1372f32 __cftof 20 API calls 24540->24541 24541->24539 24545 1371091 LeaveCriticalSection 24542->24545 24544 136f4e2 24544->24536 24545->24544 24549 1370850 24559 13751e7 24549->24559 24553 137085d 24572 13752c8 24553->24572 24556 1370887 24557 136f8ba _free 20 API calls 24556->24557 24558 1370892 24557->24558 24576 13751f0 24559->24576 24561 1370858 24562 137509a 24561->24562 24563 13750a6 ___scrt_is_nonwritable_in_current_image 24562->24563 24596 1371041 EnterCriticalSection 24563->24596 24565 137511c 24610 1375131 24565->24610 24567 1375128 _abort 24567->24553 24568 13750f0 DeleteCriticalSection 24570 136f8ba _free 20 API calls 24568->24570 24571 13750b1 24570->24571 24571->24565 24571->24568 24597 1376433 24571->24597 24573 137086c DeleteCriticalSection 24572->24573 24574 13752de 24572->24574 24573->24553 24573->24556 24574->24573 24575 136f8ba _free 20 API calls 24574->24575 24575->24573 24577 13751fc ___scrt_is_nonwritable_in_current_image 24576->24577 24586 1371041 EnterCriticalSection 24577->24586 24579 137529f 24591 13752bf 24579->24591 24582 13752ab _abort 24582->24561 24584 13751a0 66 API calls 24585 137520b 24584->24585 24585->24579 24585->24584 24587 137089c EnterCriticalSection 24585->24587 24588 1375295 24585->24588 24586->24585 24587->24585 24594 13708b0 LeaveCriticalSection 24588->24594 24590 137529d 24590->24585 24595 1371091 LeaveCriticalSection 24591->24595 24593 13752c6 24593->24582 24594->24590 24595->24593 24596->24571 24598 137643f ___scrt_is_nonwritable_in_current_image 24597->24598 24599 1376465 24598->24599 24600 1376450 24598->24600 24606 1376460 _abort 24599->24606 24613 137089c EnterCriticalSection 24599->24613 24601 136f9d2 __dosmaperr 20 API calls 24600->24601 24603 1376455 24601->24603 24605 136a419 ___std_exception_copy 26 API calls 24603->24605 24604 1376481 24614 13763bd 24604->24614 24605->24606 24606->24571 24608 137648c 24630 13764a9 24608->24630 24873 1371091 LeaveCriticalSection 24610->24873 24612 1375138 24612->24567 24613->24604 24615 13763df 24614->24615 24616 13763ca 24614->24616 24621 13763da 24615->24621 24633 137513a 24615->24633 24617 136f9d2 __dosmaperr 20 API calls 24616->24617 24618 13763cf 24617->24618 24620 136a419 ___std_exception_copy 26 API calls 24618->24620 24620->24621 24621->24608 24623 13752c8 20 API calls 24624 13763fb 24623->24624 24639 137074c 24624->24639 24626 1376401 24646 13766fb 24626->24646 24629 136f8ba _free 20 API calls 24629->24621 24872 13708b0 LeaveCriticalSection 24630->24872 24632 13764b1 24632->24606 24634 1375152 24633->24634 24636 137514e 24633->24636 24635 137074c 26 API calls 24634->24635 24634->24636 24637 1375172 24635->24637 24636->24623 24661 137602d 24637->24661 24640 137076d 24639->24640 24641 1370758 24639->24641 24640->24626 24642 136f9d2 __dosmaperr 20 API calls 24641->24642 24643 137075d 24642->24643 24644 136a419 ___std_exception_copy 26 API calls 24643->24644 24645 1370768 24644->24645 24645->24626 24647 137671f 24646->24647 24648 137670a 24646->24648 24650 137675a 24647->24650 24655 1376746 24647->24655 24649 136f9bf __dosmaperr 20 API calls 24648->24649 24652 137670f 24649->24652 24651 136f9bf __dosmaperr 20 API calls 24650->24651 24653 137675f 24651->24653 24654 136f9d2 __dosmaperr 20 API calls 24652->24654 24656 136f9d2 __dosmaperr 20 API calls 24653->24656 24659 1376407 24654->24659 24829 13766d3 24655->24829 24658 1376767 24656->24658 24660 136a419 ___std_exception_copy 26 API calls 24658->24660 24659->24621 24659->24629 24660->24659 24662 1376039 ___scrt_is_nonwritable_in_current_image 24661->24662 24663 1376041 24662->24663 24666 1376059 24662->24666 24686 136f9bf 24663->24686 24665 13760f7 24668 136f9bf __dosmaperr 20 API calls 24665->24668 24666->24665 24670 137608e 24666->24670 24669 13760fc 24668->24669 24672 136f9d2 __dosmaperr 20 API calls 24669->24672 24689 13729d0 EnterCriticalSection 24670->24689 24671 136f9d2 __dosmaperr 20 API calls 24680 137604e _abort 24671->24680 24674 1376104 24672->24674 24676 136a419 ___std_exception_copy 26 API calls 24674->24676 24675 1376094 24677 13760c5 24675->24677 24678 13760b0 24675->24678 24676->24680 24690 1376118 24677->24690 24679 136f9d2 __dosmaperr 20 API calls 24678->24679 24682 13760b5 24679->24682 24680->24636 24684 136f9bf __dosmaperr 20 API calls 24682->24684 24683 13760c0 24741 13760ef 24683->24741 24684->24683 24687 136f7e9 __dosmaperr 20 API calls 24686->24687 24688 136f9c4 24687->24688 24688->24671 24689->24675 24691 1376146 24690->24691 24692 137613f 24690->24692 24693 137614a 24691->24693 24694 1376169 24691->24694 24695 13663dc CatchGuardHandler 5 API calls 24692->24695 24696 136f9bf __dosmaperr 20 API calls 24693->24696 24697 13761ba 24694->24697 24698 137619d 24694->24698 24699 1376320 24695->24699 24700 137614f 24696->24700 24702 13761d0 24697->24702 24744 13763a2 24697->24744 24701 136f9bf __dosmaperr 20 API calls 24698->24701 24699->24683 24703 136f9d2 __dosmaperr 20 API calls 24700->24703 24705 13761a2 24701->24705 24747 1375cbd 24702->24747 24707 1376156 24703->24707 24710 136f9d2 __dosmaperr 20 API calls 24705->24710 24708 136a419 ___std_exception_copy 26 API calls 24707->24708 24708->24692 24713 13761aa 24710->24713 24711 1376217 24717 1376271 WriteFile 24711->24717 24718 137622b 24711->24718 24712 13761de 24714 1376204 24712->24714 24715 13761e2 24712->24715 24716 136a419 ___std_exception_copy 26 API calls 24713->24716 24759 1375a9d GetConsoleCP 24714->24759 24726 13762d8 24715->24726 24754 1375c50 24715->24754 24716->24692 24720 1376294 GetLastError 24717->24720 24730 13761fa 24717->24730 24721 1376233 24718->24721 24722 1376261 24718->24722 24720->24730 24723 1376251 24721->24723 24727 1376238 24721->24727 24785 1375d33 24722->24785 24777 1375f00 24723->24777 24726->24692 24729 136f9d2 __dosmaperr 20 API calls 24726->24729 24727->24726 24770 1375e12 24727->24770 24732 13762fd 24729->24732 24730->24692 24730->24726 24733 13762b4 24730->24733 24736 136f9bf __dosmaperr 20 API calls 24732->24736 24734 13762cf 24733->24734 24735 13762bb 24733->24735 24792 136f99c 24734->24792 24737 136f9d2 __dosmaperr 20 API calls 24735->24737 24736->24692 24739 13762c0 24737->24739 24740 136f9bf __dosmaperr 20 API calls 24739->24740 24740->24692 24828 13729f3 LeaveCriticalSection 24741->24828 24743 13760f5 24743->24680 24797 1376324 24744->24797 24819 1375306 24747->24819 24749 1375ccd 24750 1375cd2 24749->24750 24751 136f765 _unexpected 38 API calls 24749->24751 24750->24711 24750->24712 24752 1375cf5 24751->24752 24752->24750 24753 1375d13 GetConsoleMode 24752->24753 24753->24750 24755 1375caa 24754->24755 24758 1375c75 24754->24758 24755->24730 24756 1377804 WriteConsoleW CreateFileW 24756->24758 24757 1375cac GetLastError 24757->24755 24758->24755 24758->24756 24758->24757 24765 1375b00 24759->24765 24769 1375c12 24759->24769 24760 13663dc CatchGuardHandler 5 API calls 24761 1375c4c 24760->24761 24761->24730 24762 1370b80 __vsnwprintf_l 38 API calls 24762->24765 24763 136fb85 40 API calls __fassign 24763->24765 24764 1375b86 WideCharToMultiByte 24766 1375bac WriteFile 24764->24766 24764->24769 24765->24762 24765->24763 24765->24764 24768 1375bdd WriteFile 24765->24768 24765->24769 24766->24765 24767 1375c35 GetLastError 24766->24767 24767->24769 24768->24765 24768->24767 24769->24760 24771 1375e21 24770->24771 24772 1375ee3 24771->24772 24774 1375e9f WriteFile 24771->24774 24773 13663dc CatchGuardHandler 5 API calls 24772->24773 24776 1375efc 24773->24776 24774->24771 24775 1375ee5 GetLastError 24774->24775 24775->24772 24776->24730 24782 1375f0f 24777->24782 24778 137601a 24779 13663dc CatchGuardHandler 5 API calls 24778->24779 24781 1376029 24779->24781 24780 1375f91 WideCharToMultiByte 24783 1375fc6 WriteFile 24780->24783 24784 1376012 GetLastError 24780->24784 24781->24730 24782->24778 24782->24780 24782->24783 24783->24782 24783->24784 24784->24778 24789 1375d42 24785->24789 24786 1375df5 24788 13663dc CatchGuardHandler 5 API calls 24786->24788 24787 1375db4 WriteFile 24787->24789 24790 1375df7 GetLastError 24787->24790 24791 1375e0e 24788->24791 24789->24786 24789->24787 24790->24786 24791->24730 24793 136f9bf __dosmaperr 20 API calls 24792->24793 24794 136f9a7 __dosmaperr 24793->24794 24795 136f9d2 __dosmaperr 20 API calls 24794->24795 24796 136f9ba 24795->24796 24796->24692 24806 1372aa7 24797->24806 24799 1376336 24800 137634f SetFilePointerEx 24799->24800 24801 137633e 24799->24801 24803 1376367 GetLastError 24800->24803 24805 1376343 24800->24805 24802 136f9d2 __dosmaperr 20 API calls 24801->24802 24802->24805 24804 136f99c __dosmaperr 20 API calls 24803->24804 24804->24805 24805->24702 24807 1372ab4 24806->24807 24808 1372ac9 24806->24808 24809 136f9bf __dosmaperr 20 API calls 24807->24809 24810 136f9bf __dosmaperr 20 API calls 24808->24810 24814 1372aee 24808->24814 24811 1372ab9 24809->24811 24812 1372af9 24810->24812 24813 136f9d2 __dosmaperr 20 API calls 24811->24813 24815 136f9d2 __dosmaperr 20 API calls 24812->24815 24816 1372ac1 24813->24816 24814->24799 24817 1372b01 24815->24817 24816->24799 24818 136a419 ___std_exception_copy 26 API calls 24817->24818 24818->24816 24820 1375313 24819->24820 24821 1375320 24819->24821 24822 136f9d2 __dosmaperr 20 API calls 24820->24822 24824 137532c 24821->24824 24825 136f9d2 __dosmaperr 20 API calls 24821->24825 24823 1375318 24822->24823 24823->24749 24824->24749 24826 137534d 24825->24826 24827 136a419 ___std_exception_copy 26 API calls 24826->24827 24827->24823 24828->24743 24832 1376651 24829->24832 24831 13766f7 24831->24659 24833 137665d ___scrt_is_nonwritable_in_current_image 24832->24833 24843 13729d0 EnterCriticalSection 24833->24843 24835 137666b 24836 1376692 24835->24836 24837 137669d 24835->24837 24844 137677a 24836->24844 24839 136f9d2 __dosmaperr 20 API calls 24837->24839 24840 1376698 24839->24840 24859 13766c7 24840->24859 24842 13766ba _abort 24842->24831 24843->24835 24845 1372aa7 26 API calls 24844->24845 24847 137678a 24845->24847 24846 1376790 24862 1372a16 24846->24862 24847->24846 24848 13767c2 24847->24848 24850 1372aa7 26 API calls 24847->24850 24848->24846 24851 1372aa7 26 API calls 24848->24851 24854 13767b9 24850->24854 24855 13767ce CloseHandle 24851->24855 24853 137680a 24853->24840 24857 1372aa7 26 API calls 24854->24857 24855->24846 24858 13767da GetLastError 24855->24858 24856 136f99c __dosmaperr 20 API calls 24856->24853 24857->24848 24858->24846 24871 13729f3 LeaveCriticalSection 24859->24871 24861 13766d1 24861->24842 24863 1372a25 24862->24863 24864 1372a8c 24862->24864 24863->24864 24870 1372a4f 24863->24870 24865 136f9d2 __dosmaperr 20 API calls 24864->24865 24866 1372a91 24865->24866 24867 136f9bf __dosmaperr 20 API calls 24866->24867 24868 1372a7c 24867->24868 24868->24853 24868->24856 24869 1372a76 SetStdHandle 24869->24868 24870->24868 24870->24869 24871->24861 24872->24632 24873->24612 23260 1371f40 23261 1371f52 23260->23261 23262 1371f49 23260->23262 23263 1371e37 51 API calls 23262->23263 23263->23261 19777 1364f96 19778 1364f44 19777->19778 19780 1365280 19778->19780 19806 1364fde 19780->19806 19782 1365290 19783 1365311 19782->19783 19784 13652ed 19782->19784 19788 1365389 LoadLibraryExA 19783->19788 19790 13653ea 19783->19790 19797 13653fc 19783->19797 19801 13654b8 19783->19801 19785 136521e DloadReleaseSectionWriteAccess 8 API calls 19784->19785 19786 13652f8 RaiseException 19785->19786 19787 13654e6 19786->19787 19787->19778 19789 136539c GetLastError 19788->19789 19788->19790 19792 13653c5 19789->19792 19793 13653af 19789->19793 19791 13653f5 FreeLibrary 19790->19791 19790->19797 19791->19797 19795 136521e DloadReleaseSectionWriteAccess 8 API calls 19792->19795 19793->19790 19793->19792 19794 136545a GetProcAddress 19796 136546a GetLastError 19794->19796 19794->19801 19798 13653d0 RaiseException 19795->19798 19799 136547d 19796->19799 19797->19794 19797->19801 19798->19787 19799->19801 19802 136521e DloadReleaseSectionWriteAccess 8 API calls 19799->19802 19817 136521e 19801->19817 19803 136549e RaiseException 19802->19803 19804 1364fde DloadAcquireSectionWriteAccess 8 API calls 19803->19804 19805 13654b5 19804->19805 19805->19801 19807 1365010 19806->19807 19808 1364fea 19806->19808 19807->19782 19825 1365087 19808->19825 19810 1364fef 19811 136500b 19810->19811 19830 13651b0 19810->19830 19835 1365011 19811->19835 19815 1365275 19815->19782 19816 1365271 RtlReleaseSRWLockExclusive 19816->19782 19818 1365252 19817->19818 19819 1365230 19817->19819 19818->19787 19820 1365087 DloadAcquireSectionWriteAccess 4 API calls 19819->19820 19821 1365235 19820->19821 19822 136524d 19821->19822 19823 13651b0 DloadProtectSection 3 API calls 19821->19823 19845 1365254 19822->19845 19823->19822 19826 1365011 DloadAcquireSectionWriteAccess 3 API calls 19825->19826 19827 136508c 19826->19827 19828 13650a4 RtlAcquireSRWLockExclusive 19827->19828 19829 13650a8 19827->19829 19828->19810 19829->19810 19831 13651c5 DloadProtectSection 19830->19831 19832 13651cb 19831->19832 19833 1365200 VirtualProtect 19831->19833 19841 13650c6 VirtualQuery 19831->19841 19832->19811 19833->19832 19836 136501f 19835->19836 19838 1365034 19835->19838 19837 1365023 GetModuleHandleW 19836->19837 19836->19838 19837->19838 19839 1365038 GetProcAddress 19837->19839 19838->19815 19838->19816 19839->19838 19840 1365048 GetProcAddress 19839->19840 19840->19838 19842 13650e1 19841->19842 19843 1365123 19842->19843 19844 13650ec GetSystemInfo 19842->19844 19843->19833 19844->19843 19846 1365011 DloadAcquireSectionWriteAccess 3 API calls 19845->19846 19847 1365259 19846->19847 19848 1365275 19847->19848 19849 1365271 RtlReleaseSRWLockExclusive 19847->19849 19848->19818 19849->19818 19850 1365d97 19859 1366153 GetModuleHandleW 19850->19859 19853 1365dd5 19864 136e4de 19853->19864 19854 1365da3 19857 1365dae 19854->19857 19861 136e4c0 19854->19861 19860 1365d9f 19859->19860 19860->19853 19860->19854 19867 136e2a9 19861->19867 19865 136e2a9 _abort 28 API calls 19864->19865 19866 1365ddd 19865->19866 19868 136e2b5 _unexpected 19867->19868 19869 136e2ce 19868->19869 19870 136e2bc 19868->19870 19891 1371041 EnterCriticalSection 19869->19891 19903 136e403 GetModuleHandleW 19870->19903 19876 136e2d5 19882 136e34a 19876->19882 19890 136e373 19876->19890 19913 136edc0 19876->19913 19879 136e390 19895 136e3c2 19879->19895 19880 136e3bc 19920 13787a0 19880->19920 19881 136e362 19887 136f071 _abort 5 API calls 19881->19887 19882->19881 19916 136f071 19882->19916 19887->19890 19892 136e3b3 19890->19892 19891->19876 19923 1371091 LeaveCriticalSection 19892->19923 19894 136e38c 19894->19879 19894->19880 19924 1371486 19895->19924 19898 136e3f0 19900 136e447 _abort 8 API calls 19898->19900 19899 136e3d0 GetPEB 19899->19898 19901 136e3e0 GetCurrentProcess TerminateProcess 19899->19901 19902 136e3f8 ExitProcess 19900->19902 19901->19898 19904 136e2c1 19903->19904 19904->19869 19905 136e447 GetModuleHandleExW 19904->19905 19906 136e494 19905->19906 19907 136e471 GetProcAddress 19905->19907 19909 136e4a3 19906->19909 19910 136e49a FreeLibrary 19906->19910 19908 136e486 19907->19908 19908->19906 19911 13663dc CatchGuardHandler 5 API calls 19909->19911 19910->19909 19912 136e2cd 19911->19912 19912->19869 19952 136eaf9 19913->19952 19917 136f0a0 19916->19917 19918 13663dc CatchGuardHandler 5 API calls 19917->19918 19919 136f0c9 19918->19919 19919->19881 19921 13663dc CatchGuardHandler 5 API calls 19920->19921 19922 13787aa 19921->19922 19922->19922 19923->19894 19925 13714a1 19924->19925 19926 13714ab 19924->19926 19930 13663dc 19925->19930 19937 13710a8 19926->19937 19929 136e3cc 19929->19898 19929->19899 19931 13663e4 19930->19931 19932 13663e5 IsProcessorFeaturePresent 19930->19932 19931->19929 19934 1366427 19932->19934 19944 13663ea SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19934->19944 19936 136650a 19936->19929 19938 13710d4 19937->19938 19939 13710d8 19937->19939 19938->19939 19942 13710f8 19938->19942 19945 1371144 19938->19945 19939->19925 19941 1371104 GetProcAddress 19943 1371114 _unexpected 19941->19943 19942->19939 19942->19941 19943->19939 19944->19936 19946 1371165 LoadLibraryExW 19945->19946 19947 137115a 19945->19947 19948 1371182 GetLastError 19946->19948 19950 137119a 19946->19950 19947->19938 19949 137118d LoadLibraryExW 19948->19949 19948->19950 19949->19950 19950->19947 19951 13711b1 FreeLibrary 19950->19951 19951->19947 19955 136eaa8 19952->19955 19954 136eb1d 19954->19882 19956 136eab4 ___scrt_is_nonwritable_in_current_image 19955->19956 19963 1371041 EnterCriticalSection 19956->19963 19958 136eac2 19964 136eb49 19958->19964 19962 136eae0 _abort 19962->19954 19963->19958 19967 136eb69 19964->19967 19968 136eb71 19964->19968 19965 13663dc CatchGuardHandler 5 API calls 19966 136eacf 19965->19966 19970 136eaed 19966->19970 19967->19965 19968->19967 19973 136f8ba 19968->19973 20027 1371091 LeaveCriticalSection 19970->20027 19972 136eaf7 19972->19962 19974 136f8c5 RtlFreeHeap 19973->19974 19975 136f8ee __dosmaperr 19973->19975 19974->19975 19976 136f8da 19974->19976 19975->19967 19979 136f9d2 19976->19979 19982 136f7e9 GetLastError 19979->19982 19983 136f802 19982->19983 19984 136f808 19982->19984 20001 137126b 19983->20001 19988 136f85f SetLastError 19984->19988 20008 1371546 19984->20008 19989 136f868 GetLastError 19988->19989 19989->19975 19992 136f8ba _free 17 API calls 19995 136f828 19992->19995 19993 136f83e 20022 136f5cc 19993->20022 19994 136f822 19994->19992 19997 136f856 SetLastError 19995->19997 19997->19989 19999 136f8ba _free 17 API calls 20000 136f84f 19999->20000 20000->19988 20000->19997 20002 13710a8 _unexpected 5 API calls 20001->20002 20003 1371292 20002->20003 20004 13712aa TlsGetValue 20003->20004 20005 137129e 20003->20005 20004->20005 20006 13663dc CatchGuardHandler 5 API calls 20005->20006 20007 13712bb 20006->20007 20007->19984 20014 1371553 _unexpected 20008->20014 20009 1371593 20011 136f9d2 __dosmaperr 19 API calls 20009->20011 20010 137157e RtlAllocateHeap 20012 136f81a 20010->20012 20010->20014 20011->20012 20012->19994 20015 13712c1 20012->20015 20013 136e06e _unexpected 7 API calls 20013->20014 20014->20009 20014->20010 20014->20013 20016 13710a8 _unexpected 5 API calls 20015->20016 20017 13712e8 20016->20017 20018 1371303 TlsSetValue 20017->20018 20019 13712f7 20017->20019 20018->20019 20020 13663dc CatchGuardHandler 5 API calls 20019->20020 20021 136f837 20020->20021 20021->19993 20021->19994 20023 136f5a4 _unexpected EnterCriticalSection LeaveCriticalSection 20022->20023 20024 136f627 20023->20024 20025 136f554 _unexpected 20 API calls 20024->20025 20026 136f63e 20025->20026 20026->19999 20027->19972 22461 1364f9b 22462 1365280 ___delayLoadHelper2@8 17 API calls 22461->22462 22463 1364fa8 22462->22463

    Executed Functions

    Function 01364968 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 202filesleeptimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 504 1364968-13649b1 call 1356be4 call 136115d call 136181b call 1366660 GetCommandLineW 513 13649b7-13649c3 call 1363078 504->513 514 1364a48-1364b59 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime call 1352aa2 SetEnvironmentVariableW GetModuleHandleW LoadIconW call 136224d call 1353fd2 call 135fbd3 * 2 DialogBoxParamW call 135fc97 * 2 504->514 519 13649c5-13649db OpenFileMappingW 513->519 520 1364a42-1364a43 call 1364676 513->520 548 1364b62-1364b69 514->548 549 1364b5b-1364b5c Sleep 514->549 523 13649dd-13649ec MapViewOfFile 519->523 524 1364a39-1364a40 CloseHandle 519->524 520->514 526 1364a32-1364a33 UnmapViewOfFile 523->526 527 13649ee-1364a30 call 1366c90 call 1364676 call 1355971 call 1355a27 call 1355ac5 523->527 524->514 526->524 527->526 550 1364b70-1364b81 call 13558aa 548->550 551 1364b6b call 1361a35 548->551 549->548 555 1364b83-1364b89 call 1365788 550->555 556 1364b8f-1364ba2 DeleteObject 550->556 551->550 562 1364b8e 555->562 558 1364ba4-1364ba5 DeleteObject 556->558 559 1364bab-1364bb2 556->559 558->559 560 1364bb4-1364bbb 559->560 561 1364bcc-1364bda 559->561 560->561 563 1364bbd-1364bc7 call 13519a1 560->563 564 1364bee-1364bfb 561->564 565 1364bdc-1364be8 call 13646d3 CloseHandle 561->565 562->556 563->561 568 1364c1f-1364c23 call 1361881 564->568 569 1364bfd-1364c09 564->569 565->564 574 1364c28-1364c34 568->574 571 1364c0b-1364c13 569->571 572 1364c19-1364c1b 569->572 571->568 575 1364c15-1364c17 571->575 572->568 576 1364c1d 572->576 575->568 576->568
    APIs
      • Part of subcall function 01356BE4: GetModuleHandleW.KERNEL32(kernel32), ref: 01356BFD
      • Part of subcall function 01356BE4: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 01356C0F
      • Part of subcall function 01356BE4: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 01356C40
      • Part of subcall function 0136115D: GetCurrentDirectoryW.KERNEL32(?,?), ref: 01361165
      • Part of subcall function 0136181B: OleInitialize.OLE32(00000000), ref: 01361834
      • Part of subcall function 0136181B: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0136186B
      • Part of subcall function 0136181B: SHGetMalloc.SHELL32(0139F948), ref: 01361875
    • GetCommandLineW.KERNEL32 ref: 013649A7
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 013649D1
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007402), ref: 013649E2
    • UnmapViewOfFile.KERNEL32(00000000), ref: 01364A33
      • Part of subcall function 01364676: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0136468C
      • Part of subcall function 01364676: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 013646C8
      • Part of subcall function 01355A27: _wcslen.LIBCMT ref: 01355A4B
    • CloseHandle.KERNEL32(00000000), ref: 01364A3A
    • GetModuleFileNameW.KERNEL32(00000000,013B6210,00000800), ref: 01364A54
    • SetEnvironmentVariableW.KERNEL32(sfxname,013B6210), ref: 01364A60
    • GetLocalTime.KERNEL32(?), ref: 01364A6B
    • _swprintf.LIBCMT ref: 01364AAA
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 01364ABF
    • GetModuleHandleW.KERNEL32(00000000), ref: 01364AC6
    • LoadIconW.USER32(00000000,00000064), ref: 01364ADD
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00012350,00000000), ref: 01364B2E
    • Sleep.KERNEL32(?), ref: 01364B5C
    • DeleteObject.GDI32 ref: 01364B95
    • DeleteObject.GDI32(?), ref: 01364BA5
    • CloseHandle.KERNEL32 ref: 01364BE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf_wcslen
    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
    • API String ID: 3014515783-3710569615
    • Opcode ID: 997cdcc13cc0db9cfb9180315f4af2b836023ec298b80ca8f1ba74170a610a02
    • Instruction ID: aa9c4429d49d2096a1ba831a0065919b64724955acdcefc804962beef0c1ba8f
    • Opcode Fuzzy Hash: 997cdcc13cc0db9cfb9180315f4af2b836023ec298b80ca8f1ba74170a610a02
    • Instruction Fuzzy Hash: A061E371904301BFD731AB69EC89F6B3FACEB9475DF044519FA45A3288EB388844C7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013611D2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1386 13611d2-13611ef FindResourceW 1387 13611f5-1361206 SizeofResource 1386->1387 1388 13612eb 1386->1388 1387->1388 1390 136120c-136121b LoadResource 1387->1390 1389 13612ed-13612f1 1388->1389 1390->1388 1391 1361221-136122c LockResource 1390->1391 1391->1388 1392 1361232-1361247 GlobalAlloc 1391->1392 1393 13612e3-13612e9 1392->1393 1394 136124d-1361256 GlobalLock 1392->1394 1393->1389 1395 13612dc-13612dd GlobalFree 1394->1395 1396 136125c-136127a call 1366c90 1394->1396 1395->1393 1400 13612d5-13612d6 GlobalUnlock 1396->1400 1401 136127c-136129e call 1361136 1396->1401 1400->1395 1401->1400 1406 13612a0-13612a8 1401->1406 1407 13612c3-13612d1 1406->1407 1408 13612aa-13612be GdipCreateHBITMAPFromBitmap 1406->1408 1407->1400 1408->1407 1409 13612c0 1408->1409 1409->1407
    APIs
    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,013622AD,00000066), ref: 013611E5
    • SizeofResource.KERNEL32(00000000,?,?,?,013622AD,00000066), ref: 013611FC
    • LoadResource.KERNEL32(00000000,?,?,?,013622AD,00000066), ref: 01361213
    • LockResource.KERNEL32(00000000,?,?,?,013622AD,00000066), ref: 01361222
    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,013622AD,00000066), ref: 0136123D
    • GlobalLock.KERNEL32 ref: 0136124E
    • GlobalUnlock.KERNEL32(00000000), ref: 013612D6
      • Part of subcall function 01361136: GdipAlloc.GDIPLUS(00000010), ref: 0136113C
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 013612B7
    • GlobalFree.KERNEL32 ref: 013612DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
    • String ID: PNG
    • API String ID: 541704414-364855578
    • Opcode ID: c279e794244d1aaf7dc6f46939e61b5174bf16980a257f170fc0705303980557
    • Instruction ID: 6e944766edd9fcabdca3bc7a0bba5b818d8ac3b4f1a1cd8908c817ec939e275e
    • Opcode Fuzzy Hash: c279e794244d1aaf7dc6f46939e61b5174bf16980a257f170fc0705303980557
    • Instruction Fuzzy Hash: EF3130B1600716AFD7329F65EC49A1B7FBCFF857A9B048619F905D2258EB31D800CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352C15 Relevance: 7.6, APIs: 5, Instructions: 105fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1622 1352c15-1352c39 call 1365690 1625 1352ca1-1352caa FindNextFileW 1622->1625 1626 1352c3b-1352c48 FindFirstFileW 1622->1626 1627 1352cbc-1352d79 call 135695c call 13539d4 call 13573ad * 3 1625->1627 1628 1352cac-1352cba GetLastError 1625->1628 1626->1627 1629 1352c4a-1352c5c call 13535e5 1626->1629 1633 1352d7e-1352d8b 1627->1633 1630 1352c93-1352c9c 1628->1630 1637 1352c5e-1352c76 FindFirstFileW 1629->1637 1638 1352c78-1352c81 GetLastError 1629->1638 1630->1633 1637->1627 1637->1638 1640 1352c91 1638->1640 1641 1352c83-1352c86 1638->1641 1640->1630 1641->1640 1642 1352c88-1352c8b 1641->1642 1642->1640 1644 1352c8d-1352c8f 1642->1644 1644->1630
    APIs
    • FindFirstFileW.KERNELBASE(?,?), ref: 01352C3E
      • Part of subcall function 013535E5: _wcslen.LIBCMT ref: 01353609
    • FindFirstFileW.KERNELBASE(?,?,?,?,00000800), ref: 01352C6C
    • GetLastError.KERNEL32(?,?,00000800), ref: 01352C78
    • FindNextFileW.KERNEL32(?,?), ref: 01352CA2
    • GetLastError.KERNEL32 ref: 01352CAE
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: FileFind$ErrorFirstLast$Next_wcslen
    • String ID:
    • API String ID: 42610566-0
    • Opcode ID: b64b79b6e282a7015709660861e5df110464cca608543286059c0070816b7ca2
    • Instruction ID: 4bdbc83d45522c7721f35022b0aa54b360ad2662d9bc90c957e8d3cbe57198f6
    • Opcode Fuzzy Hash: b64b79b6e282a7015709660861e5df110464cca608543286059c0070816b7ca2
    • Instruction Fuzzy Hash: 23415E72900519EBCB65DF68CC84FEAB7B8BB48754F000696ED5DE3201D774AA94CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136E3C2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000003,?,0136E398,00000003,01381D50,0000000C,0136E4EF,00000003,00000002,00000000,?,0136F382,00000003), ref: 0136E3E3
    • TerminateProcess.KERNEL32(00000000,?,0136E398,00000003,01381D50,0000000C,0136E4EF,00000003,00000002,00000000,?,0136F382,00000003), ref: 0136E3EA
    • ExitProcess.KERNEL32 ref: 0136E3FC
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: dff43044a1c8382bafc2a98a21bcefaf4ad20535e290abda34e7982b6ecb13e9
    • Instruction ID: 2ebd923771b4a0dc040c2154ce5f7df823ee6ab9c9bde5ef82286c8fa3a7c848
    • Opcode Fuzzy Hash: dff43044a1c8382bafc2a98a21bcefaf4ad20535e290abda34e7982b6ecb13e9
    • Instruction Fuzzy Hash: 71E04F31000154EBCF22AF68D90CB493B2DEB00369F008424F90556125DB35D942CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135B79D Relevance: 1.6, Strings: 1, Instructions: 357COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID: c
    • API String ID: 0-112844655
    • Opcode ID: ca50c9bdd23865e4813df8a5e38717c3af6fb7460c344940e44bf027378a24b8
    • Instruction ID: 19797d3f956721bc5640171de5e85a542e8a9163cb7a4118ac8e6727df076ef2
    • Opcode Fuzzy Hash: ca50c9bdd23865e4813df8a5e38717c3af6fb7460c344940e44bf027378a24b8
    • Instruction Fuzzy Hash: D2E16971A083958FC765DF28D480A6EFBE6BBC8B08F00492EE89997345D730E845CF52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01366195 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNELBASE(Function_000161B0,01365C55), ref: 0136619A
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 6dc97d1ce587b2b80ee85b0f2bc79ac4046790399f18f0dd572a18a377819acd
    • Instruction ID: 20ccef9f79a798011f8ffb2d1ac22a10967d38d6a39393885e07e7b6c4c57084
    • Opcode Fuzzy Hash: 6dc97d1ce587b2b80ee85b0f2bc79ac4046790399f18f0dd572a18a377819acd
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01362350 Relevance: 102.2, APIs: 49, Strings: 9, Instructions: 730windowfilesleepCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 01362355
      • Part of subcall function 013511C6: GetDlgItem.USER32(00000000,00003021), ref: 0135120A
      • Part of subcall function 013511C6: SetWindowTextW.USER32(00000000,01379584), ref: 01351220
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 01362441
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0136245F
    • IsDialogMessageW.USER32(?,?), ref: 01362472
    • TranslateMessage.USER32(?), ref: 01362480
    • DispatchMessageW.USER32(?), ref: 0136248A
    • GetDlgItemTextW.USER32(?,00000066,?,00000800), ref: 013624AD
    • EndDialog.USER32(?,00000001), ref: 013624D0
    • GetDlgItem.USER32(?,00000068), ref: 013624F3
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0136250E
    • SendMessageW.USER32(00000000,000000C2,00000000,01379584), ref: 01362521
      • Part of subcall function 01363F05: _wcslen.LIBCMT ref: 01363F2F
    • SetFocus.USER32(00000000), ref: 01362528
    • _swprintf.LIBCMT ref: 01362587
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
    • GetLastError.KERNEL32(00000000,?), ref: 013625EA
    • GetLastError.KERNEL32(?,00000000,?), ref: 01362612
    • GetTickCount.KERNEL32 ref: 01362630
    • _swprintf.LIBCMT ref: 01362648
    • GetLastError.KERNEL32 ref: 0136267A
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,00000000,?), ref: 013626CD
    • _swprintf.LIBCMT ref: 01362704
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,00007402,winrarsfxmappingfile.tmp), ref: 01362758
    • GetCommandLineW.KERNEL32 ref: 0136276E
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000,013A696A,00000400,00000001,00000001), ref: 013627C5
    • ShellExecuteExW.SHELL32(0000003C), ref: 013627ED
    • WaitForInputIdle.USER32(?,00002710), ref: 01362821
    • Sleep.KERNEL32(00000064), ref: 01362835
    • UnmapViewOfFile.KERNEL32(?,?,0000421C,013A696A,00000400), ref: 0136285E
    • CloseHandle.KERNEL32(00000000), ref: 01362867
    • _swprintf.LIBCMT ref: 0136289A
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 013628F9
    • SetDlgItemTextW.USER32(?,00000065,01379584), ref: 01362910
    • GetDlgItem.USER32(?,00000065), ref: 01362919
    • GetWindowLongW.USER32(00000000,000000F0), ref: 01362928
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 01362937
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 013629E4
    • _wcslen.LIBCMT ref: 01362A3A
    • _swprintf.LIBCMT ref: 01362A64
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 01362AAE
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,?), ref: 01362AC8
    • GetDlgItem.USER32(?,00000068), ref: 01362AD1
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 01362AE7
    • GetDlgItem.USER32(?,00000066), ref: 01362B01
    • SetWindowTextW.USER32(00000000,013A8D8A), ref: 01362B23
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 01362B78
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 01362B8B
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_00012130,00000000,?), ref: 01362C2E
    • EnableWindow.USER32(00000000,00000000), ref: 01362D08
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 01362D4A
      • Part of subcall function 013631F1: __EH_prolog.LIBCMT ref: 013631F6
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 01362D6E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Item$MessageText$Send$Window_swprintf$File$DialogErrorLast$H_prologLongView_wcslen$CloseCommandCountCreateDispatchEnableExecuteFocusHandleIdleInputLineMappingModuleNameParamShellSleepTickTranslateUnmapWait__vswprintf_c_l
    • String ID: %s$"%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
    • API String ID: 3103142498-1645151803
    • Opcode ID: d748e414adcbdb5342213d6ada2cb237cee936e9d0f035f064ccc012a1fc9c99
    • Instruction ID: 516881fd3802159546e8a5dff82df93a2d61cb83b668bf725dc11af219eede01
    • Opcode Fuzzy Hash: d748e414adcbdb5342213d6ada2cb237cee936e9d0f035f064ccc012a1fc9c99
    • Instruction Fuzzy Hash: 5D42F471A44249BEEB32AB68DC89FBF3B7CAB1170CF058154FA40B61C9D7794984CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01356BE4 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 316libraryfileloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 270 1356be4-1356c07 call 1365690 GetModuleHandleW 273 1356c09-1356c20 GetProcAddress 270->273 274 1356c68-1356ec9 270->274 277 1356c22-1356c38 273->277 278 1356c3a-1356c4a GetProcAddress 273->278 275 1356f95-1356fc1 GetModuleFileNameW call 1353919 call 135695c 274->275 276 1356ecf-1356eda call 136dbcd 274->276 293 1356fc3-1356fcf call 1352d8e 275->293 276->275 288 1356ee0-1356f0e GetModuleFileNameW CreateFileW 276->288 277->278 279 1356c66 278->279 280 1356c4c-1356c61 278->280 279->274 280->279 290 1356f10-1356f1c SetFilePointer 288->290 291 1356f89-1356f90 CloseHandle 288->291 290->291 294 1356f1e-1356f3a ReadFile 290->294 291->275 300 1356fd1-1356fdc call 1356b9c 293->300 301 1356ffe-1357025 call 13539d4 GetFileAttributesW 293->301 294->291 296 1356f3c-1356f61 294->296 298 1356f7e-1356f87 call 1356689 296->298 298->291 306 1356f63-1356f7d call 1356b9c 298->306 300->301 308 1356fde-1356ffc CompareStringW 300->308 309 1357027-135702b 301->309 310 135702f 301->310 306->298 308->301 308->309 309->293 313 135702d 309->313 314 1357031-1357036 310->314 313->314 315 135706d-135706f 314->315 316 1357038 314->316 317 1357075-135708c call 1353963 call 1352d8e 315->317 318 135717c-1357186 315->318 319 135703a-1357061 call 13539d4 GetFileAttributesW 316->319 329 13570f4-1357127 call 1352aa2 AllocConsole 317->329 330 135708e-13570ef call 1356b9c * 2 call 1354ba7 call 1352aa2 call 1354ba7 call 13612f4 317->330 325 1357063-1357067 319->325 326 135706b 319->326 325->319 328 1357069 325->328 326->315 328->315 335 1357174-1357176 ExitProcess 329->335 336 1357129-135716e GetCurrentProcessId AttachConsole call 136a203 GetStdHandle WriteConsoleW Sleep FreeConsole 329->336 330->335 336->335
    APIs
    • GetModuleHandleW.KERNEL32(kernel32), ref: 01356BFD
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 01356C0F
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 01356C40
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01356EEA
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 01356F04
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 01356F14
    • ReadFile.KERNEL32(00000000,?,00007FFE,0137987C,00000000), ref: 01356F32
    • CloseHandle.KERNEL32(00000000), ref: 01356F8A
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 01356F9F
    • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,0137987C,?,00000000,?,00000800), ref: 01356FF3
    • GetFileAttributesW.KERNELBASE(?,?,0137987C,00000800,?,00000000,?,00000800), ref: 0135701D
    • GetFileAttributesW.KERNEL32(?,?,01379944,00000800), ref: 01357059
      • Part of subcall function 01356B9C: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01356BB7
      • Part of subcall function 01356B9C: LoadLibraryW.KERNELBASE(?,?,0135590F,Crypt32.dll,00000000,01355989,?,?,0135596C,00000000,00000000,?,00000000), ref: 01356BD9
    • _swprintf.LIBCMT ref: 013570CB
    • _swprintf.LIBCMT ref: 01357117
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
    • AllocConsole.KERNEL32 ref: 0135711F
    • GetCurrentProcessId.KERNEL32 ref: 01357129
    • AttachConsole.KERNEL32(00000000), ref: 01357130
    • _wcslen.LIBCMT ref: 01357145
    • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 01357156
    • WriteConsoleW.KERNEL32(00000000), ref: 0135715D
    • Sleep.KERNEL32(00002710), ref: 01357168
    • FreeConsole.KERNEL32 ref: 0135716E
    • ExitProcess.KERNEL32 ref: 01357176
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
    • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
    • API String ID: 1207345701-3298887752
    • Opcode ID: 55f5aa91a26eed75340dfee04ed824d830580c4cc36379795138de6cace23650
    • Instruction ID: 891191643816e605c6eb03cff92a59dede7f00932603763b334b397024feb79b
    • Opcode Fuzzy Hash: 55f5aa91a26eed75340dfee04ed824d830580c4cc36379795138de6cace23650
    • Instruction Fuzzy Hash: 60D14FB54083859BE7759F54C848FDFBBECBB8572CF900A1DE58996240DB38854CCBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013631F1 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 428windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 349 13631f1-1363209 call 1365668 call 1365690 354 1363ebf-1363eca 349->354 355 136320f-1363239 call 1361e84 349->355 355->354 358 136323f-1363244 355->358 359 1363245-1363253 358->359 360 1363254-1363269 call 1361b9e 359->360 363 136326b 360->363 364 136326d-1363282 call 1357d7d 363->364 367 1363284-1363288 364->367 368 136328f-1363292 364->368 367->364 369 136328a 367->369 370 1363e8b-1363eb6 call 1361e84 368->370 371 1363298 368->371 369->370 370->359 385 1363ebc-1363ebe 370->385 373 1363470-1363472 371->373 374 1363511-1363513 371->374 375 136352e-1363530 371->375 376 136329f-13632a2 371->376 373->370 381 1363478-1363484 373->381 374->370 379 1363519-1363529 SetWindowTextW 374->379 375->370 380 1363536-136353d 375->380 376->370 377 13632a8-1363302 call 136115d call 1353825 call 1352abe call 1352bf8 call 1351b85 376->377 438 1363441-1363456 call 1352b4b 377->438 379->370 380->370 386 1363543-136355c 380->386 382 1363486-1363497 call 136dcc7 381->382 383 1363498-136349d 381->383 382->383 389 13634a7-13634b2 call 1361ffe 383->389 390 136349f-13634a5 383->390 385->354 391 1363564-1363572 call 136a203 386->391 392 136355e 386->392 396 13634b7-13634b9 389->396 390->396 391->370 403 1363578-1363581 391->403 392->391 401 13634c4-13634e4 call 136a203 call 136c668 396->401 402 13634bb-13634c2 call 136a203 396->402 423 13634e6-13634ed 401->423 424 13634fd-13634ff 401->424 402->401 407 1363583-1363587 403->407 408 13635aa-13635ad 403->408 412 13635b3-13635b6 407->412 413 1363589-1363591 407->413 408->412 415 1363692-13636a0 call 135695c 408->415 421 13635c3-13635de 412->421 422 13635b8-13635bd 412->422 413->370 419 1363597-13635a5 call 135695c 413->419 431 13636a2-13636b6 call 1367204 415->431 419->431 439 13635e0-136361a 421->439 440 1363628-136362f 421->440 422->415 422->421 428 13634f4-13634fc call 136dcc7 423->428 429 13634ef-13634f1 423->429 424->370 430 1363505-136350c call 136a479 424->430 428->424 429->428 430->370 449 13636c3-1363714 call 135695c call 1361d23 GetDlgItem SetWindowTextW SendMessageW call 136c55b 431->449 450 13636b8-13636bc 431->450 455 1363307-136331b SetFileAttributesW 438->455 456 136345c-136346b call 1352ad4 438->456 468 136361e-1363620 439->468 469 136361c 439->469 442 1363631-1363649 call 136a203 440->442 443 136365d-1363680 call 136a203 * 2 440->443 442->443 460 136364b-1363658 call 1356934 442->460 443->431 476 1363682-1363690 call 1356934 443->476 483 1363719-136371d 449->483 450->449 454 13636be-13636c0 450->454 454->449 461 13633c1-13633d1 GetFileAttributesW 455->461 462 1363321-1363354 call 1353502 call 13531e2 call 136a203 455->462 456->370 460->443 461->438 466 13633d3-13633e2 DeleteFileW 461->466 492 1363356-1363365 call 136a203 462->492 493 1363367-1363375 call 13537e6 462->493 466->438 475 13633e4-13633e7 466->475 468->440 469->468 479 13633eb-1363417 call 1352aa2 GetFileAttributesW 475->479 476->431 490 13633e9-13633ea 479->490 491 1363419-136342f MoveFileW 479->491 483->370 487 1363723-1363737 SendMessageW 483->487 487->370 490->479 491->438 494 1363431-136343b MoveFileExW 491->494 492->493 499 136337b-13633ba call 136a203 call 1366660 492->499 493->456 493->499 494->438 499->461
    APIs
    • __EH_prolog.LIBCMT ref: 013631F6
      • Part of subcall function 01361E84: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 01361F6B
    • _wcslen.LIBCMT ref: 013634BC
    • _wcslen.LIBCMT ref: 013634C5
    • SetWindowTextW.USER32(?,?), ref: 01363523
    • _wcslen.LIBCMT ref: 01363565
    • _wcsrchr.LIBVCRUNTIME ref: 013636AD
    • GetDlgItem.USER32(?,00000066), ref: 013636E8
    • SetWindowTextW.USER32(00000000,?), ref: 013636F8
    • SendMessageW.USER32(00000000,00000143,00000000,013A8D8A), ref: 01363706
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01363731
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen$MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
    • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 2804936435-312220925
    • Opcode ID: 79b0f772df9ba178c91e53d7e967e13c89ab6babed7b4539869477c1bfb9c7b2
    • Instruction ID: ea08cc79170d9ebd57bf3bc5e90502079043e5d7db649334fd194761fea23d78
    • Opcode Fuzzy Hash: 79b0f772df9ba178c91e53d7e967e13c89ab6babed7b4539869477c1bfb9c7b2
    • Instruction Fuzzy Hash: ACE17672D00119AADF35DBA8DC84EEE77BCFF04758F4484A5E60DE7148EB749A848B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01353FF7 Relevance: 23.4, APIs: 4, Strings: 9, Instructions: 663COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 01354000
    • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 0135403C
      • Part of subcall function 01353919: _wcslen.LIBCMT ref: 01353921
      • Part of subcall function 01356934: _wcslen.LIBCMT ref: 0135693A
      • Part of subcall function 01357956: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,013535CB,00000000,?,?), ref: 01357972
    • _wcslen.LIBCMT ref: 01354379
    • __fprintf_l.LIBCMT ref: 013544AC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen$ByteCharFileH_prologModuleMultiNameWide__fprintf_l
    • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
    • API String ID: 566448164-801612888
    • Opcode ID: 7a456ef4a0e6907dceeeb8a15ab8ba08cb6a47ed6d97d292b11fb22915f29bfe
    • Instruction ID: 2c983b41035003014ebb1383513d64cdce166a9d75df00e58b92af7bbca0caa2
    • Opcode Fuzzy Hash: 7a456ef4a0e6907dceeeb8a15ab8ba08cb6a47ed6d97d292b11fb22915f29bfe
    • Instruction Fuzzy Hash: 3E32DF71A00219EBDB69DF68C844FED7BB8FF14B28F40415AFE0597290E7719984CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01358FC3 Relevance: 22.4, APIs: 5, Strings: 7, Instructions: 1383COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: __allrem_wcslen$H_prolog
    • String ID: 0C6L3.cpl$AES-0017$x$z01$zip$zipx$zx01
    • API String ID: 2085098250-1085946349
    • Opcode ID: aca2933ee44155b9a2da0844a66bf688a728fbfdb1b663ed5d021bac4b37ed8d
    • Instruction ID: 0bb510a69df83064aaea21f7525c5ac5805e46610651837421e6a9d6ea62181e
    • Opcode Fuzzy Hash: aca2933ee44155b9a2da0844a66bf688a728fbfdb1b663ed5d021bac4b37ed8d
    • Instruction Fuzzy Hash: 6BB2CC71900259DFEFA5DF29D890FAD7BB9BB08B1CF14012AED0597285E731D984CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01363F86 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1303 1363f86-1363fb2 call 13620d8 GetDlgItem 1306 1363fb4-1363fe1 call 135fd45 ShowWindow SendMessageW * 2 1303->1306 1307 1363fe8-1364022 SendMessageW * 2 1303->1307 1306->1307 1309 1364024-136403f 1307->1309 1310 1364043-1364074 SendMessageW * 3 1307->1310 1309->1310 1312 1364076-1364093 SendMessageW 1310->1312 1313 1364099-13640af SendMessageW 1310->1313 1312->1313
    APIs
      • Part of subcall function 013620D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 013620E9
      • Part of subcall function 013620D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 013620FA
      • Part of subcall function 013620D8: IsDialogMessageW.USER32(?,?), ref: 0136210E
      • Part of subcall function 013620D8: TranslateMessage.USER32(?), ref: 0136211C
      • Part of subcall function 013620D8: DispatchMessageW.USER32(?), ref: 01362126
    • GetDlgItem.USER32(00000068,013B7248), ref: 01363F9A
    • ShowWindow.USER32(00000000,00000005,?,?,?,01361B0D,00000001,?,?,01362329,0137ADA0,013B7248,013B7248,00001000,00000000,00000000), ref: 01363FC2
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 01363FCD
    • SendMessageW.USER32(00000000,000000C2,00000000,01379584), ref: 01363FDB
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 01363FF1
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0136400B
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0136404F
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0136405D
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0136406C
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 01364093
    • SendMessageW.USER32(00000000,000000C2,00000000,01379F1C), ref: 013640A2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
    • String ID: \
    • API String ID: 3569833718-2967466578
    • Opcode ID: 8c3bd9991865436f0341ace3bbc9665f4f4dfa311373c8ac28620ad51ebe21eb
    • Instruction ID: b15a6779e3ec743429c15abb48af274b6b64b54563fccb5e348cebe4cfc856ff
    • Opcode Fuzzy Hash: 8c3bd9991865436f0341ace3bbc9665f4f4dfa311373c8ac28620ad51ebe21eb
    • Instruction Fuzzy Hash: 7C312471149B04BFE3219F24DC88FAF7FACEB82719F000508F642D7284D765494D8BA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136424F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 184windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1314 136424f-1364267 call 1365690 1317 136426d-1364279 call 136a203 1314->1317 1318 13644a8-13644b0 1314->1318 1317->1318 1321 136427f-13642a7 call 1366660 1317->1321 1324 13642b1-13642bf 1321->1324 1325 13642a9 1321->1325 1326 13642d2-13642d8 1324->1326 1327 13642c1-13642c4 1324->1327 1325->1324 1329 136431b-136431e 1326->1329 1328 13642c8-13642ce 1327->1328 1331 13642f7-1364304 1328->1331 1332 13642d0 1328->1332 1329->1328 1330 1364320-1364326 1329->1330 1333 136432d-136432f 1330->1333 1334 1364328-136432b 1330->1334 1336 1364480-1364482 1331->1336 1337 136430a-136430e 1331->1337 1335 13642e2-13642ec 1332->1335 1340 1364342-1364358 call 135349e 1333->1340 1341 1364331-1364338 1333->1341 1334->1333 1334->1340 1342 13642ee 1335->1342 1343 13642da-13642e0 1335->1343 1338 1364486 1336->1338 1337->1338 1339 1364314-1364319 1337->1339 1348 136448f 1338->1348 1339->1329 1349 1364371-136437c call 1352780 1340->1349 1350 136435a-1364367 call 1357d7d 1340->1350 1341->1340 1344 136433a 1341->1344 1342->1331 1343->1335 1346 13642f0-13642f3 1343->1346 1344->1340 1346->1331 1351 1364496-1364498 1348->1351 1359 136437e-1364395 call 1353216 1349->1359 1360 1364399-13643a6 ShellExecuteExW 1349->1360 1350->1349 1361 1364369 1350->1361 1352 13644a7 1351->1352 1353 136449a-136449c 1351->1353 1352->1318 1353->1352 1357 136449e-13644a1 ShowWindow 1353->1357 1357->1352 1359->1360 1360->1352 1363 13643ac-13643b9 1360->1363 1361->1349 1365 13643cc-13643ce 1363->1365 1366 13643bb-13643c2 1363->1366 1368 13643e5-1364404 WaitForInputIdle call 13646d3 1365->1368 1369 13643d0-13643d9 IsWindowVisible 1365->1369 1366->1365 1367 13643c4-13643ca 1366->1367 1367->1365 1370 136443b-1364447 CloseHandle 1367->1370 1368->1370 1378 1364406-136440e 1368->1378 1369->1368 1371 13643db-13643e3 ShowWindow 1369->1371 1373 1364458-1364466 1370->1373 1374 1364449-1364456 call 1357d7d 1370->1374 1371->1368 1373->1351 1377 1364468-136446a 1373->1377 1374->1348 1374->1373 1377->1351 1380 136446c-1364472 1377->1380 1378->1370 1381 1364410-1364421 GetExitCodeProcess 1378->1381 1380->1351 1383 1364474-136447e 1380->1383 1381->1370 1382 1364423-136442d 1381->1382 1384 1364434 1382->1384 1385 136442f 1382->1385 1383->1351 1384->1370 1385->1384
    APIs
    • _wcslen.LIBCMT ref: 0136426E
    • ShellExecuteExW.SHELL32(?), ref: 0136439E
    • IsWindowVisible.USER32(?), ref: 013643D1
    • ShowWindow.USER32(?,00000000), ref: 013643DD
    • WaitForInputIdle.USER32(?,000007D0), ref: 013643EE
    • GetExitCodeProcess.KERNELBASE(?,?), ref: 01364419
    • CloseHandle.KERNEL32(?), ref: 0136443F
    • ShowWindow.USER32(?,00000001), ref: 013644A1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Window$Show$CloseCodeExecuteExitHandleIdleInputProcessShellVisibleWait_wcslen
    • String ID: .exe$.inf
    • API String ID: 3646668279-3750412487
    • Opcode ID: 6ddd2827d98dc5a7c2d44e4ad312eb4ca899d8385648daba1330cc4dd4fee4d9
    • Instruction ID: 1e678e1356cd465642064b50fc0753c9a6b4c0fba11f405b6a3da72696eeb390
    • Opcode Fuzzy Hash: 6ddd2827d98dc5a7c2d44e4ad312eb4ca899d8385648daba1330cc4dd4fee4d9
    • Instruction Fuzzy Hash: B351F5319087819AE7329F68D444AAB7BECAF8174CF54841DEAC0A728DE771C494CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135D2E8 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 307COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1411 135d2e8-135d308 1412 135d3ae-135d3cd call 1365ad0 1411->1412 1413 135d30e 1411->1413 1419 135d3d3-135d408 call 1352480 1412->1419 1420 135d4a8-135d4b8 1412->1420 1414 135d310-135d312 1413->1414 1415 135d318-135d35f call 135b5f4 1413->1415 1414->1412 1414->1415 1432 135d365-135d367 1415->1432 1433 135d5d2 1415->1433 1445 135d40a-135d43b call 135b5f4 1419->1445 1421 135d4ba-135d4f0 call 13659e0 1420->1421 1429 135d4f6-135d4f8 1421->1429 1430 135d5da-135d5e0 1421->1430 1429->1433 1434 135d4fe-135d561 call 135b5f4 1429->1434 1431 135d5e6-135d610 call 135b1dd 1430->1431 1443 135d616-135d6bb call 135b08a * 4 call 135b065 * 2 call 135b08a call 135d062 1431->1443 1444 135d612-135d614 1431->1444 1432->1433 1437 135d36d-135d378 1432->1437 1435 135d5d4-135d5d5 1433->1435 1461 135d563-135d565 1434->1461 1462 135d5ce-135d5d0 1434->1462 1439 135d6e1-135d6e8 1435->1439 1441 135d385-135d38d 1437->1441 1446 135d38f 1441->1446 1447 135d37a-135d382 call 135aa78 1441->1447 1443->1439 1498 135d6bd-135d6db 1443->1498 1444->1435 1445->1433 1460 135d441-135d447 1445->1460 1446->1433 1457 135d394-135d3a9 1447->1457 1458 135d384 1447->1458 1457->1431 1458->1441 1460->1433 1464 135d44d-135d458 1460->1464 1461->1462 1465 135d567-135d573 1461->1465 1462->1430 1462->1433 1467 135d465-135d46d 1464->1467 1470 135d580-135d588 1465->1470 1468 135d46f 1467->1468 1469 135d45a-135d462 call 135aa78 1467->1469 1472 135d491-135d4a6 call 136cd70 1468->1472 1482 135d464 1469->1482 1483 135d471-135d48d 1469->1483 1473 135d575-135d57d call 135aa78 1470->1473 1474 135d58a 1470->1474 1472->1421 1489 135d58c-135d5a7 1473->1489 1490 135d57f 1473->1490 1481 135d5a8-135d5c8 call 136cd70 1474->1481 1481->1429 1481->1462 1482->1467 1483->1472 1489->1481 1490->1470 1498->1439
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
    • String ID: CA+$CA+
    • API String ID: 2527496121-2194209714
    • Opcode ID: f4c6c5d439aa70642274f79efebcbb2c7141a063160cfa0dd70b88778f4af95e
    • Instruction ID: 7fd65152aa5dba481fb05c37f354dc1b35fbe4b8d3324419f9e15ecc6c3acc54
    • Opcode Fuzzy Hash: f4c6c5d439aa70642274f79efebcbb2c7141a063160cfa0dd70b88778f4af95e
    • Instruction Fuzzy Hash: DDB19EB1504316DFD765EF68D890A2A7BEDFB88718F050A3EE845D3248F732E9058B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01370D74 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1500 1370d74-1370d8d 1501 1370da3-1370da8 1500->1501 1502 1370d8f-1370d9f call 137535c 1500->1502 1504 1370db5-1370dd9 MultiByteToWideChar 1501->1504 1505 1370daa-1370db2 1501->1505 1502->1501 1512 1370da1 1502->1512 1506 1370ddf-1370deb 1504->1506 1507 1370f6c-1370f7f call 13663dc 1504->1507 1505->1504 1509 1370e3f 1506->1509 1510 1370ded-1370dfe 1506->1510 1516 1370e41-1370e43 1509->1516 1513 1370e00-1370e0f call 1378420 1510->1513 1514 1370e1d-1370e2e call 136f9e5 1510->1514 1512->1501 1519 1370f61 1513->1519 1526 1370e15-1370e1b 1513->1526 1514->1519 1527 1370e34 1514->1527 1516->1519 1520 1370e49-1370e5c MultiByteToWideChar 1516->1520 1524 1370f63-1370f6a call 1370fdc 1519->1524 1520->1519 1523 1370e62-1370e74 call 137137c 1520->1523 1529 1370e79-1370e7d 1523->1529 1524->1507 1531 1370e3a-1370e3d 1526->1531 1527->1531 1529->1519 1532 1370e83-1370e8a 1529->1532 1531->1516 1533 1370ec4-1370ed0 1532->1533 1534 1370e8c-1370e91 1532->1534 1536 1370ed2-1370ee3 1533->1536 1537 1370f1c 1533->1537 1534->1524 1535 1370e97-1370e99 1534->1535 1535->1519 1538 1370e9f-1370eb9 call 137137c 1535->1538 1540 1370ee5-1370ef4 call 1378420 1536->1540 1541 1370efe-1370f0f call 136f9e5 1536->1541 1539 1370f1e-1370f20 1537->1539 1538->1524 1553 1370ebf 1538->1553 1543 1370f22-1370f3b call 137137c 1539->1543 1544 1370f5a-1370f60 call 1370fdc 1539->1544 1540->1544 1556 1370ef6-1370efc 1540->1556 1541->1544 1552 1370f11 1541->1552 1543->1544 1558 1370f3d-1370f44 1543->1558 1544->1519 1557 1370f17-1370f1a 1552->1557 1553->1519 1556->1557 1557->1539 1559 1370f46-1370f47 1558->1559 1560 1370f80-1370f86 1558->1560 1561 1370f48-1370f58 WideCharToMultiByte 1559->1561 1560->1561 1561->1544 1562 1370f88-1370f8f call 1370fdc 1561->1562 1562->1524
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0136BD5E,0136BD5E,?,?,?,01370FC5,00000001,00000001,F4E85006), ref: 01370DCE
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,01370FC5,00000001,00000001,F4E85006,?,?,?), ref: 01370E54
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,F4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 01370F4E
    • __freea.LIBCMT ref: 01370F5B
      • Part of subcall function 0136F9E5: RtlAllocateHeap.NTDLL(00000000,?,?,?,0136A7E9,?,0000015D,?,?,?,?,0136BCC5,000000FF,00000000,?,?), ref: 0136FA17
    • __freea.LIBCMT ref: 01370F64
    • __freea.LIBCMT ref: 01370F89
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: 1c433c8ffbf9b0bc500424cbdf89e222c6d95a196d2da2fdd7507eae4d69bc1e
    • Instruction ID: edaff574877ae2f39e149ff3248b4a16bf2fb9809a5291aec77cd14974b2d88b
    • Opcode Fuzzy Hash: 1c433c8ffbf9b0bc500424cbdf89e222c6d95a196d2da2fdd7507eae4d69bc1e
    • Instruction Fuzzy Hash: C451E172610217AFEB398F68CC81FAF7BA9EB56758F144628FD08D6180DB78DC54C690
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135723D Relevance: 9.1, APIs: 6, Instructions: 98timeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 01357295
      • Part of subcall function 01352D8E: GetVersionExW.KERNEL32(?), ref: 01352DB3
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 013572B9
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 013572D3
    • TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 013572E6
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 013572F6
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 01357306
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion
    • String ID:
    • API String ID: 2092733347-0
    • Opcode ID: 0a7990070beadbe03f77128df13edc78267fee5ecee76e9f6ef79b23e0be2045
    • Instruction ID: 9c8363eee6d3ed38e254ac25665c0dfb3dd38e0754cd2b5747b87e76be3dba1f
    • Opcode Fuzzy Hash: 0a7990070beadbe03f77128df13edc78267fee5ecee76e9f6ef79b23e0be2045
    • Instruction Fuzzy Hash: 7E31E479118356AFC714DFA8C88499BB7E8BF88618F444A1AF999C3210E730D509CBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013646D3 Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1574 13646d3-13646ec WaitForSingleObject 1575 1364734-1364736 1574->1575 1576 13646ee-13646ef 1574->1576 1577 13646f1-1364701 PeekMessageW 1576->1577 1578 1364724-1364731 WaitForSingleObject 1577->1578 1579 1364703-136471e GetMessageW TranslateMessage DispatchMessageW 1577->1579 1578->1577 1580 1364733 1578->1580 1579->1578 1580->1575
    APIs
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 013646DF
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 013646F9
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0136470A
    • TranslateMessage.USER32(?), ref: 01364714
    • DispatchMessageW.USER32(?), ref: 0136471E
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 01364729
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
    • String ID:
    • API String ID: 2148572870-0
    • Opcode ID: 873b37cfa7bed21e28fa9f237b3536ba6100dac030fe3d5fd589d05ac5f4368a
    • Instruction ID: 4d73a9f2761aecff579809b7904321a201a40428196a2b82e7a9c2780f2f268d
    • Opcode Fuzzy Hash: 873b37cfa7bed21e28fa9f237b3536ba6100dac030fe3d5fd589d05ac5f4368a
    • Instruction Fuzzy Hash: 0EF03C72A01129FBCB315AA5DC8DDDB7F6DEF423A5F008411F606D2048E6388505C7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013616C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1581 13616c0-13616df GetClassNameW 1582 1361707-1361709 1581->1582 1583 13616e1-13616f6 call 1357d7d 1581->1583 1585 1361714-1361716 1582->1585 1586 136170b-136170d 1582->1586 1588 1361706 1583->1588 1589 13616f8-1361704 FindWindowExW 1583->1589 1586->1585 1588->1582 1589->1588
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 013616D7
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 0136170E
      • Part of subcall function 01357D7D: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01353108,?,?,?,013530B5,?,-00000002,?,00000000,?), ref: 01357D93
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 013616FE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AutoClassCompareCompleteFindNameStringWindow
    • String ID: EDIT$pl9u
    • API String ID: 4243998846-2836395951
    • Opcode ID: c4a1ba63fad62f3e1e151b445c4573b8e18c59961645c8eaa620a0ab4d86e61e
    • Instruction ID: d0774ef6576cc41738da1bdb8b4a6e7206ed7c0767f0809a0960dff681b99fe2
    • Opcode Fuzzy Hash: c4a1ba63fad62f3e1e151b445c4573b8e18c59961645c8eaa620a0ab4d86e61e
    • Instruction Fuzzy Hash: 18F0827360072867EB3056189C49FDB7A6C9B86B49F440011BF41F3184E768D50587B5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01351EE0 Relevance: 7.6, APIs: 5, Instructions: 111filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1590 1351ee0-1351f01 call 1365690 1593 1351f03-1351f06 1590->1593 1594 1351f0c 1590->1594 1593->1594 1596 1351f08-1351f0a 1593->1596 1595 1351f0e-1351f1f 1594->1595 1597 1351f27-1351f31 1595->1597 1598 1351f21 1595->1598 1596->1595 1599 1351f36-1351f43 call 1351b85 1597->1599 1600 1351f33 1597->1600 1598->1597 1603 1351f45 1599->1603 1604 1351f4b-1351f6a CreateFileW 1599->1604 1600->1599 1603->1604 1605 1351f6c-1351f8e GetLastError call 13535e5 1604->1605 1606 1351fbb-1351fbf 1604->1606 1610 1351fc8-1351fcd 1605->1610 1615 1351f90-1351fb3 CreateFileW GetLastError 1605->1615 1607 1351fc3-1351fc6 1606->1607 1609 1351fd9-1351fde 1607->1609 1607->1610 1613 1351fe0-1351fe3 1609->1613 1614 1351fff-1352010 1609->1614 1610->1609 1612 1351fcf 1610->1612 1612->1609 1613->1614 1616 1351fe5-1351ff9 SetFileTime 1613->1616 1617 1352012-135202a call 135695c 1614->1617 1618 135202e-1352039 1614->1618 1615->1607 1619 1351fb5-1351fb9 1615->1619 1616->1614 1617->1618 1619->1607
    APIs
    • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000), ref: 01351F5F
    • GetLastError.KERNEL32 ref: 01351F6C
    • CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800), ref: 01351FA2
    • GetLastError.KERNEL32 ref: 01351FAA
    • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000), ref: 01351FF9
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: File$CreateErrorLast$Time
    • String ID:
    • API String ID: 1999340476-0
    • Opcode ID: e9974840ed2dd8ad74f5254be02c1ed0cd8e634e4badc613df94b0d0684cac30
    • Instruction ID: d0c426d0c7228575768c04cddc64c02ad0dedce9b1eb5a3cf26aa575943bd928
    • Opcode Fuzzy Hash: e9974840ed2dd8ad74f5254be02c1ed0cd8e634e4badc613df94b0d0684cac30
    • Instruction Fuzzy Hash: 06312330544346AFE3719F28CC45FEABBA8BB14B38F100B19FDA1961C1C3B5A188CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013620D8 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1649 13620d8-13620f1 PeekMessageW 1650 13620f3-1362107 GetMessageW 1649->1650 1651 136212c-136212e 1649->1651 1652 1362118-1362126 TranslateMessage DispatchMessageW 1650->1652 1653 1362109-1362116 IsDialogMessageW 1650->1653 1652->1651 1653->1651 1653->1652
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 013620E9
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 013620FA
    • IsDialogMessageW.USER32(?,?), ref: 0136210E
    • TranslateMessage.USER32(?), ref: 0136211C
    • DispatchMessageW.USER32(?), ref: 01362126
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Message$DialogDispatchPeekTranslate
    • String ID:
    • API String ID: 1266772231-0
    • Opcode ID: 77591dde887d41ba74d8b07748d3b8a71d70d91a6f099d0396b81bfceace764e
    • Instruction ID: 8046838592a5571a33a01afb995cd12a6853986f921f0802d10e6e6c87d91607
    • Opcode Fuzzy Hash: 77591dde887d41ba74d8b07748d3b8a71d70d91a6f099d0396b81bfceace764e
    • Instruction Fuzzy Hash: BAF0B77590222AABDB20ABF6EC8CDEB7F7CEE05294B014414F705D3148F668D105CBB0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136181B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 01356B9C: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01356BB7
      • Part of subcall function 01356B9C: LoadLibraryW.KERNELBASE(?,?,0135590F,Crypt32.dll,00000000,01355989,?,?,0135596C,00000000,00000000,?,00000000), ref: 01356BD9
    • OleInitialize.OLE32(00000000), ref: 01361834
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0136186B
    • SHGetMalloc.SHELL32(0139F948), ref: 01361875
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
    • String ID: riched20.dll
    • API String ID: 3498096277-3360196438
    • Opcode ID: b4be1f02790c697785a5a140d42c5c2b867b5afeaf43980a73e5565f438026f4
    • Instruction ID: 0a01f26b126772dd4be456c23fb7ac4021f988b6e542fe6069702d124b7ddbb9
    • Opcode Fuzzy Hash: b4be1f02790c697785a5a140d42c5c2b867b5afeaf43980a73e5565f438026f4
    • Instruction Fuzzy Hash: 02F01DB1D00209ABCB60AF9AD8499EFFFFCEF94755F00405AE915E3204D7B45605CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364676 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31COMMON
    Download Yara Rule
    APIs
    • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 0136468C
    • SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 013646C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: EnvironmentVariable
    • String ID: sfxcmd$sfxpar
    • API String ID: 1431749950-3493335439
    • Opcode ID: 89c38c24349b7a512e08d70bd2e051fb4488a54485b3340274e7e16176023155
    • Instruction ID: 98e15a87cbf12e5d9bd2ceac2c75fb0f36a6a1f0c79ec026baebc99a5d7b6fbf
    • Opcode Fuzzy Hash: 89c38c24349b7a512e08d70bd2e051fb4488a54485b3340274e7e16176023155
    • Instruction Fuzzy Hash: 37F0ECB2C00225F6DF301B99DC0AFEA7BAC9F15B6DB408515FD4856108D7648C90C7B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136A007 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,?,01369FB8,00000000,?,013B9614,?,?,?,0136A15B,00000004,InitializeCriticalSectionEx,0137C0B4,InitializeCriticalSectionEx), ref: 0136A014
    • GetLastError.KERNEL32(?,01369FB8,00000000,?,013B9614,?,?,?,0136A15B,00000004,InitializeCriticalSectionEx,0137C0B4,InitializeCriticalSectionEx,00000000,?,01369DA2), ref: 0136A01E
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0136A046
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: b73c3ab039672d4ddb0c1c7b94f10911499c0cb17f6fa966df8767d838fcbccb
    • Instruction ID: 1f496c2eb878eebf12c95af2fe2fa2c10098c48e6c48b6c4c1f73b7d61a22a32
    • Opcode Fuzzy Hash: b73c3ab039672d4ddb0c1c7b94f10911499c0cb17f6fa966df8767d838fcbccb
    • Instruction Fuzzy Hash: 8FE01A302C0209BBEF311A65ED0AB583B6DBB01B68F108020FA0DA90D9DBA6A420D794
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01351D95 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 01351DA5
    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 01351DBD
    • GetLastError.KERNEL32 ref: 01351DEF
    • GetLastError.KERNEL32 ref: 01351E0E
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorLast$FileHandleRead
    • String ID:
    • API String ID: 2244327787-0
    • Opcode ID: d54276b924953c5a8cde61692265593d94d1167849c45edf9410d04a0e2d1cb9
    • Instruction ID: cb0168b6a2252198515dfb9294fef3f0d2a1885159e9b4942746e556c0c27c6e
    • Opcode Fuzzy Hash: d54276b924953c5a8cde61692265593d94d1167849c45edf9410d04a0e2d1cb9
    • Instruction Fuzzy Hash: 5D117034900608EBDFB2AB68C804FB977FDBB01A69F104629EC2A95180D7708E84EB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01371144 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,0136A652,00000000,00000000,?,013710EB,0136A652,00000000,00000000,00000000,?,013712E8,00000006,FlsSetValue), ref: 01371176
    • GetLastError.KERNEL32(?,013710EB,0136A652,00000000,00000000,00000000,?,013712E8,00000006,FlsSetValue,0137D690,FlsSetValue,00000000,00000364,?,0136F837), ref: 01371182
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,013710EB,0136A652,00000000,00000000,00000000,?,013712E8,00000006,FlsSetValue,0137D690,FlsSetValue,00000000), ref: 01371190
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: 4a55cd13bcdac1a5b0d9ce8ac0dd88084e1b8b940439b8d323769067c39d9735
    • Instruction ID: b09ac75859d9764849d201cf92cc7988b6402aa834f4f7a45d229780d46764bb
    • Opcode Fuzzy Hash: 4a55cd13bcdac1a5b0d9ce8ac0dd88084e1b8b940439b8d323769067c39d9735
    • Instruction Fuzzy Hash: 5E01DB3765122AABDB324A7CBC45B577BACBF05BB9B110724FA06DB181D725D800CBE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135251A Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F5,?,?,00000000,00000000,0135AFDE,?,?,?,?,?,0135B798,0138E5AC,?,0135C12B,00010000), ref: 0135253E
    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 01352585
    • WriteFile.KERNELBASE(00000008,?,0135C12B,00010000,00000000,036BCBF9,?,?,?,00000000,00000000,0135AFDE,?,?,?,?), ref: 013525B1
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: FileWrite$Handle
    • String ID:
    • API String ID: 4209713984-0
    • Opcode ID: 51da0cd608e889859cc44e76e53dd1e7df9769d6c2458285c4458fc3a283c3b9
    • Instruction ID: d5751d6c60b1845fc61c3fce9791f4d8367ea31463ba265b7c9bd13a2f9981ad
    • Opcode Fuzzy Hash: 51da0cd608e889859cc44e76e53dd1e7df9769d6c2458285c4458fc3a283c3b9
    • Instruction Fuzzy Hash: 4331A231204305EFDB65CE18D868F6FBBA9FB84B2DF044919FD8257290D7709948CBA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352810 Relevance: 4.6, APIs: 3, Instructions: 55COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013538FD: _wcslen.LIBCMT ref: 01353903
    • CreateDirectoryW.KERNELBASE(?,00000000,?), ref: 01352837
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?), ref: 0135286A
    • GetLastError.KERNEL32(?,?), ref: 01352887
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CreateDirectory$ErrorLast_wcslen
    • String ID:
    • API String ID: 2260680371-0
    • Opcode ID: ca77b14475bacce0853c9af09330d796c31e508a8d07faf4486f2f383317b70c
    • Instruction ID: 6aa68835d03a65656a8dadd5ab4d51ef1b85614ac4bd52b074390fa118e5373f
    • Opcode Fuzzy Hash: ca77b14475bacce0853c9af09330d796c31e508a8d07faf4486f2f383317b70c
    • Instruction Fuzzy Hash: 93017535210255A6EFA66BAC4844FFF2F6C6F19F9CF080864FE41E6084D764D584C7A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135A22C Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 341COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0135A2E6
      • Part of subcall function 0135B122: __EH_prolog.LIBCMT ref: 0135B127
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@
    • String ID: 0C6L3.cpl
    • API String ID: 3007126557-1539666090
    • Opcode ID: 85f6a0119539d21f182270f8ffbe5ac25bb52de0d8bb77fa64a5c9d62957a2f6
    • Instruction ID: 3cbd1e01e533a617b5ce3f3cc5707bb6e86f19e5ee8d2319679bd94f6b6fa0aa
    • Opcode Fuzzy Hash: 85f6a0119539d21f182270f8ffbe5ac25bb52de0d8bb77fa64a5c9d62957a2f6
    • Instruction Fuzzy Hash: EAD1E271504352DFE7B5EF2CE854E2A3BA9E745B2CF080629ED4183289F771D844EB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01371CA3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 01371CC8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-3916222277
    • Opcode ID: 940d42e135a7bf4171ed6a5a2a4f313cda858e1b3dd1bc3390fef44c6e934d71
    • Instruction ID: 2cedd12372064f696e86e296f28de1135298beff4c11f54e5bae702c05908131
    • Opcode Fuzzy Hash: 940d42e135a7bf4171ed6a5a2a4f313cda858e1b3dd1bc3390fef44c6e934d71
    • Instruction Fuzzy Hash: 18410A7150438C9EDB368E688C84AF6BBFEEB5530CF1404ECE59A87142D2399945CF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135B122 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0135B127
      • Part of subcall function 01352AE7: FindClose.KERNELBASE(00000000), ref: 01352B12
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CloseFindH_prolog
    • String ID: 0C6L3.cpl
    • API String ID: 1153179139-1539666090
    • Opcode ID: 72c3cfb97a1e5f8206013e9f24c09de000ec1a0da0a433b5db1d2a4d7a1ec543
    • Instruction ID: f73f9523b26e9b3014c15974fc7467d93ae9b8deebdb5ff868788dfc41871ab7
    • Opcode Fuzzy Hash: 72c3cfb97a1e5f8206013e9f24c09de000ec1a0da0a433b5db1d2a4d7a1ec543
    • Instruction Fuzzy Hash: D311E731A00256DBDFD1EF789801FEEB7AAAF51B2CF004165ED01A71C4EBB84A458B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0137137C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,F4E85006,00000001,?,000000FF), ref: 013713ED
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: String
    • String ID: LCMapStringEx
    • API String ID: 2568140703-3893581201
    • Opcode ID: 83d3559f8883f7b7fbcc5b836839c80a356332441b0e2d4fa95d131b42cad287
    • Instruction ID: 1a84e7764aaf1e8747f2647fbbf373818506c9001ebd690c78e94e85d7ee5e2d
    • Opcode Fuzzy Hash: 83d3559f8883f7b7fbcc5b836839c80a356332441b0e2d4fa95d131b42cad287
    • Instruction Fuzzy Hash: 77010C3250020DBBCF225F95DC05DDE3F6AFF18768F454159FE0825120C67A8931EB84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0137131A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,0137091F), ref: 01371365
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CountCriticalInitializeSectionSpin
    • String ID: InitializeCriticalSectionEx
    • API String ID: 2593887523-3084827643
    • Opcode ID: 18dafc3d83460db33fc55d0c22b7be548a68e7847a146a01354e5a3665c4aeb4
    • Instruction ID: 435ff534d3c93b3897c285a9f26ed10fdf4aea0d322e47fe1f354796696b85fc
    • Opcode Fuzzy Hash: 18dafc3d83460db33fc55d0c22b7be548a68e7847a146a01354e5a3665c4aeb4
    • Instruction Fuzzy Hash: 13F0B43264121CBBCF316F55DC05E9D7FA9EF14B25F404159FD0C1A224CA7659109B84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013711BF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Alloc
    • String ID: FlsAlloc
    • API String ID: 2773662609-671089009
    • Opcode ID: c592acfc013eb462cc9e851786b18d3b2c927e0587cfba27a847917ee9c7e283
    • Instruction ID: df734fb62b948a44128ede892af6dded78ec64027bea819c4a8833f4c018c03e
    • Opcode Fuzzy Hash: c592acfc013eb462cc9e851786b18d3b2c927e0587cfba27a847917ee9c7e283
    • Instruction Fuzzy Hash: 1BE0E532B4221DABC731ABA5AC06F6D7B6CDF54B39F41416DF80967300DD7919048789
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372000 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 01371BCB: GetOEMCP.KERNEL32(00000000,?,?,01371E54,?), ref: 01371BF6
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,01371E99,?,00000000), ref: 01372074
    • GetCPInfo.KERNEL32(00000000,01371E99,?,?,?,01371E99,?,00000000), ref: 01372087
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: 8448acb19deef537c262a8f50c5627f897c4c69822ffe37208a9257aedbb1b9e
    • Instruction ID: 686cdd107c854777c2cb9bde9e58eff044f0779c70c63cf0e000fabfb36b907a
    • Opcode Fuzzy Hash: 8448acb19deef537c262a8f50c5627f897c4c69822ffe37208a9257aedbb1b9e
    • Instruction Fuzzy Hash: F3513574E0024A9FDB318F39D8806BBBFE9FF41318F14406ED69687241D63D9545CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135203C Relevance: 3.1, APIs: 2, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 013521A2
    • GetLastError.KERNEL32 ref: 013521B1
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: e23d4a13777d97b3b0e3b68a95e95d955ceb63940d33a975389c57053067795d
    • Instruction ID: 37bec6d5e0d170808f3dc4f03f25925d946d254eceaa87558c7ec050a718088e
    • Opcode Fuzzy Hash: e23d4a13777d97b3b0e3b68a95e95d955ceb63940d33a975389c57053067795d
    • Instruction Fuzzy Hash: 99414B7460534ACBC7B4EE28C884EABB7EAFB48B68F04451DEE4583641D770D984CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01371E37 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0136F765: GetLastError.KERNEL32(?,?,0136ABD7,?,?,?,0136A652,00000050), ref: 0136F769
      • Part of subcall function 0136F765: _free.LIBCMT ref: 0136F79C
      • Part of subcall function 0136F765: SetLastError.KERNEL32(00000000), ref: 0136F7DD
      • Part of subcall function 0136F765: _abort.LIBCMT ref: 0136F7E3
      • Part of subcall function 01371F5E: _abort.LIBCMT ref: 01371F90
      • Part of subcall function 01371F5E: _free.LIBCMT ref: 01371FC4
      • Part of subcall function 01371BCB: GetOEMCP.KERNEL32(00000000,?,?,01371E54,?), ref: 01371BF6
    • _free.LIBCMT ref: 01371EAF
    • _free.LIBCMT ref: 01371EE5
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID:
    • API String ID: 2991157371-0
    • Opcode ID: f38478917f72f74e3c4a4b87b4f53da53b6cd5a4b1bd88b2865524f516e87133
    • Instruction ID: fe272597b1f1381367341db66fe844fdd8c8c924cd75e9fe2c8292e2eb1ae0c0
    • Opcode Fuzzy Hash: f38478917f72f74e3c4a4b87b4f53da53b6cd5a4b1bd88b2865524f516e87133
    • Instruction Fuzzy Hash: E831DC32D04209AFDB31EF6CD480B6D7BF9EF41328F154599D9089B691EB3A5D41CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013523A2 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?), ref: 013523BC
    • SetFileTime.KERNELBASE(?,?,?,?), ref: 01352470
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: File$BuffersFlushTime
    • String ID:
    • API String ID: 1392018926-0
    • Opcode ID: c16c21e326e7af90b8216e7d5a9704cf9c5907555b97609ea5e1bab192148f1c
    • Instruction ID: 762926305f0373bd86ecfc37e9da1af7b46db72f4b8646d5f3c98d6a1599ebdb
    • Opcode Fuzzy Hash: c16c21e326e7af90b8216e7d5a9704cf9c5907555b97609ea5e1bab192148f1c
    • Instruction Fuzzy Hash: A3210131248286DFD755CE78C881EABBFE8AF95A08F04491CFCC587142D328E50DD761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01351C7E Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?), ref: 01351CF6
    • CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800), ref: 01351D26
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CreateFile
    • String ID:
    • API String ID: 823142352-0
    • Opcode ID: fe635485b0c20e91736070ef7bcf128334329b0a973a1d45970f5f99c74ed171
    • Instruction ID: bf50cf2b1d1abcdc0c46511fc79c341c37ab85e2fdf265bcf3e741699f393c25
    • Opcode Fuzzy Hash: fe635485b0c20e91736070ef7bcf128334329b0a973a1d45970f5f99c74ed171
    • Instruction Fuzzy Hash: EC210071500344AEE7B18A69CC88FB3B6ECFB48B68F000A28ED95C21C1C379A884C731
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01369F67 Relevance: 3.1, APIs: 2, Instructions: 67libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • FreeLibrary.KERNEL32(00000000,?,013B9614,?,?,?,0136A15B,00000004,InitializeCriticalSectionEx,0137C0B4,InitializeCriticalSectionEx,00000000,?,01369DA2,013B9614,00000FA0), ref: 01369FEA
    • GetProcAddress.KERNEL32(00000000,?), ref: 01369FF4
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AddressFreeLibraryProc
    • String ID:
    • API String ID: 3013587201-0
    • Opcode ID: 63b35aee640c62d760a661e8cd52accffd1709a4419c66f6828755f62763c7c9
    • Instruction ID: 822e159a8e8e2beb8f76039ac0c04855df4ed50822da5b64c80bc5efe289fe52
    • Opcode Fuzzy Hash: 63b35aee640c62d760a661e8cd52accffd1709a4419c66f6828755f62763c7c9
    • Instruction Fuzzy Hash: 8D118E31604119DFDF23CF68E880B9A77ADFB4576DB168169EA06DB248E730D909CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352480 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 013524C7
    • GetLastError.KERNEL32 ref: 013524D4
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: 6082acdc51c6b863196a4f437d7d301ea4265bdb8499c61a263451f8826331b8
    • Instruction ID: f2c09b2282f59625ed05d923e44f94564723ac61a88dac9ecf2e1b635a70ae07
    • Opcode Fuzzy Hash: 6082acdc51c6b863196a4f437d7d301ea4265bdb8499c61a263451f8826331b8
    • Instruction Fuzzy Hash: 4C11C271600204EBE7758628CC40FA7BBF9AB45778F904718E953E2AC0D770F945C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352A4B Relevance: 3.0, APIs: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    • SetFileAttributesW.KERNELBASE(?,00000000,?,?,01352883,?,?), ref: 01352A5F
      • Part of subcall function 013535E5: _wcslen.LIBCMT ref: 01353609
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,?,01352883,?,?), ref: 01352A90
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: dcf5b682c84a786e1d7002005a365f051dc3299b563bc115f83adee6bb42e8b9
    • Instruction ID: ac86d4903b93222dbd88451e5e616e4faacec03e7ae2c719cb5b967893fcb44f
    • Opcode Fuzzy Hash: dcf5b682c84a786e1d7002005a365f051dc3299b563bc115f83adee6bb42e8b9
    • Instruction Fuzzy Hash: ACF0A93110021AABEF229E6ACC00FDA3B6CBB087D9F00C420BC48D6154DB31C9949B20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135272F Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
    Download Yara Rule
    APIs
    • DeleteFileW.KERNELBASE(000000FF,?,?,01351D8F,?,?,01351BE3,?,?,?,?,?,01378AA3,000000FF), ref: 01352740
      • Part of subcall function 013535E5: _wcslen.LIBCMT ref: 01353609
    • DeleteFileW.KERNEL32(?,000000FF,?,00000800,?,?,01351D8F,?,?,01351BE3,?,?,?,?,?,01378AA3), ref: 0135276E
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: DeleteFile$_wcslen
    • String ID:
    • API String ID: 2643169976-0
    • Opcode ID: 08ff6b9b2cbc535a3976fd99b7ad4057ed4dd468c13398727c0dfb8aa00216a2
    • Instruction ID: 53dc7cecec4cad35cf2d53e0b1b854f1326f38dea389540ff00d9516bec32fcd
    • Opcode Fuzzy Hash: 08ff6b9b2cbc535a3976fd99b7ad4057ed4dd468c13398727c0dfb8aa00216a2
    • Instruction Fuzzy Hash: 4BE0D83125120AEBEB229F68DC40FDA37ACAF047DDF444061BD44D2055DB71DD84DB54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361881 Relevance: 3.0, APIs: 2, Instructions: 26comCOMMON
    Download Yara Rule
    APIs
    • GdiplusShutdown.GDIPLUS(?,?,?,?,01378AA3,000000FF), ref: 013618B5
    • OleUninitialize.OLE32(?,?,?,?,01378AA3,000000FF), ref: 013618BA
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: GdiplusShutdownUninitialize
    • String ID:
    • API String ID: 3856339756-0
    • Opcode ID: 841c57e1fe5fc02e92094edb0d65c21ce71a04a7c762d7f9153d3a4e7ffa23bc
    • Instruction ID: 2f0e9719bcbb392ab278c6daa088a9123b2b5f2adbc3c6df10602b09af7e4d2d
    • Opcode Fuzzy Hash: 841c57e1fe5fc02e92094edb0d65c21ce71a04a7c762d7f9153d3a4e7ffa23bc
    • Instruction Fuzzy Hash: 06E03072604A54AFC720DF4DE945B49FBACFB48B60F004265E015D3754CB746800CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136490E Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 01364938
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
    • SetDlgItemTextW.USER32(00000065,?), ref: 0136494F
      • Part of subcall function 013620D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 013620E9
      • Part of subcall function 013620D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 013620FA
      • Part of subcall function 013620D8: IsDialogMessageW.USER32(?,?), ref: 0136210E
      • Part of subcall function 013620D8: TranslateMessage.USER32(?), ref: 0136211C
      • Part of subcall function 013620D8: DispatchMessageW.USER32(?), ref: 01362126
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Message$DialogDispatchItemPeekTextTranslate__vswprintf_c_l_swprintf
    • String ID:
    • API String ID: 2718869927-0
    • Opcode ID: e993a752cbe7e7dddb948b22f24314ba9b82403f76fd89377dd3fa50e91b733f
    • Instruction ID: ac674a60943953ebd15d3be15034f1411ffc9efe5e93f450d768924d7b57f42f
    • Opcode Fuzzy Hash: e993a752cbe7e7dddb948b22f24314ba9b82403f76fd89377dd3fa50e91b733f
    • Instruction Fuzzy Hash: 49E0D87240424A7AEF11BB69DC05FEB3FAC5F147C9F040451BA40E7091F679DAA18761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352792 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNELBASE(?), ref: 013527A3
      • Part of subcall function 013535E5: _wcslen.LIBCMT ref: 01353609
    • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 013527CF
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AttributesFile$_wcslen
    • String ID:
    • API String ID: 2673547680-0
    • Opcode ID: 8705c8ef265e326ee19ecb3de4ba8c6819e347b0906167547df5144adadc8d36
    • Instruction ID: d9580fb5784b4e1a70d151f52b9c1ffbe5768d22613476f835e5451b051b9450
    • Opcode Fuzzy Hash: 8705c8ef265e326ee19ecb3de4ba8c6819e347b0906167547df5144adadc8d36
    • Instruction Fuzzy Hash: 06E0ED315002249ADB61AB689C04BD97A6CBB097F9F0542A0FE55E3195D7649D80CBD4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01356B9C Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMON
    Download Yara Rule
    APIs
    • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01356BB7
    • LoadLibraryW.KERNELBASE(?,?,0135590F,Crypt32.dll,00000000,01355989,?,?,0135596C,00000000,00000000,?,00000000), ref: 01356BD9
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: DirectoryLibraryLoadSystem
    • String ID:
    • API String ID: 1175261203-0
    • Opcode ID: cb2f539c84558661a7b94ddb2ec5a0965370d17b2a091bc9f9a62a6e5e477296
    • Instruction ID: 031b50cc786015d5280f3d59485650fd308a83400cadd905a8d9f9eebe4f7da3
    • Opcode Fuzzy Hash: cb2f539c84558661a7b94ddb2ec5a0965370d17b2a091bc9f9a62a6e5e477296
    • Instruction Fuzzy Hash: FAE04872910228A6DF219AA9DC04FDA776CFF487E5F4440A17949D2108D674DA84CBB0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01360EC8 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 01360EE9
    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 01360EF0
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: BitmapCreateFromGdipStream
    • String ID:
    • API String ID: 1918208029-0
    • Opcode ID: 475e1bc9ba80ba182f28352e74da53572e4c898f75b6f0e255868450a4e82a39
    • Instruction ID: dd465ba47a9fd2cb9a903b074c6598676dafa34ce6bf91133d147fadcf4c9966
    • Opcode Fuzzy Hash: 475e1bc9ba80ba182f28352e74da53572e4c898f75b6f0e255868450a4e82a39
    • Instruction Fuzzy Hash: 1EE06D71400618EBDB24DF48C90069DB7ECEB142A9F10C02AE84993640D270AE44DB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01368F7C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01368F9A
    • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 01368FA5
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Value___vcrt____vcrt_uninitialize_ptd
    • String ID:
    • API String ID: 1660781231-0
    • Opcode ID: 79d0b740ca02bca9fa360bfbef9bb988763c9fb1c89e599815da1308324c48ae
    • Instruction ID: c69c6d3ef77bc651f310253af7333fa97b6a8cbfcf0e861f560b2da6ac545d33
    • Opcode Fuzzy Hash: 79d0b740ca02bca9fa360bfbef9bb988763c9fb1c89e599815da1308324c48ae
    • Instruction Fuzzy Hash: F9D0A9A0544B02CCDD106B7D3C404C9334E6C2AABC3A0C2DAD3308E9CCEFA1800A6211
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013511A1 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ItemShowWindow
    • String ID:
    • API String ID: 3351165006-0
    • Opcode ID: cc16324d906a81dd48991afdfa26b1cc45a63be4b587d3dec6519c09c5a58750
    • Instruction ID: 2f82a00d0f947d8b670f86232e89de01a25820810b957215152f259ec557864a
    • Opcode Fuzzy Hash: cc16324d906a81dd48991afdfa26b1cc45a63be4b587d3dec6519c09c5a58750
    • Instruction Fuzzy Hash: 59C01232058640BECB410BB0DC09D2EBBACABA5312F00C908F2A5C2154E638C010EB11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135B41D Relevance: 1.6, APIs: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: __allrem
    • String ID:
    • API String ID: 2933888876-0
    • Opcode ID: 839efb0563ea9aa1e540876683ff2869baa57f851b20562658a8e3df5884674c
    • Instruction ID: c8c4dbcef9b04bded3311b400622cfdfaf951145bd52d06eb8e1de9c2fd010ff
    • Opcode Fuzzy Hash: 839efb0563ea9aa1e540876683ff2869baa57f851b20562658a8e3df5884674c
    • Instruction Fuzzy Hash: E3319076601225DFD779DF28E854B297BAEF788B14F05453AED0197389F732E8008B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013710A8 Relevance: 1.6, APIs: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetProcAddress.KERNEL32(00000000,?), ref: 01371108
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AddressProc
    • String ID:
    • API String ID: 190572456-0
    • Opcode ID: 8d55a5d4263d9248a8e2c2b01528a0eacc0f61ad6ba5973b25a8bae4dbf5101a
    • Instruction ID: 71a575327b5d77b5f21a36d34598beef444a11c4bda540cba838265b326c76b7
    • Opcode Fuzzy Hash: 8d55a5d4263d9248a8e2c2b01528a0eacc0f61ad6ba5973b25a8bae4dbf5101a
    • Instruction Fuzzy Hash: ED11A737B002269BDF329E2DEC4059A779D9B84378B064220FE15AF648DA35DC0187D0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372889 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 01371546: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0136F793,00000001,00000364,?,0136ABD7,?,?,?,0136A652,00000050), ref: 01371587
    • _free.LIBCMT ref: 013728F5
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
    • Instruction ID: 056f135893aaf2a7f065f476b0a7a307b3bfabcb5c1ba168cc9462a1d58feb4c
    • Opcode Fuzzy Hash: 7d30b6ea8507d2c13b34e354a80f4644266152c8881b27fa68bdf41323802f68
    • Instruction Fuzzy Hash: B101D673600345ABF3358E69988195AFFEDEB85374F29062DE59483280EA35A805C664
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364512 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 01364517
      • Part of subcall function 01356A26: _wcslen.LIBCMT ref: 01356A3C
      • Part of subcall function 0135F482: __EH_prolog.LIBCMT ref: 0135F487
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: H_prolog$_wcslen
    • String ID:
    • API String ID: 2838827086-0
    • Opcode ID: 13d6aad8f4eaf1a56e0219e9788a9846c3e467b10d980aad396fc6d7e8c1a3e1
    • Instruction ID: 08b19564b1bc115f3e502907e8f2da00bb8e281bccb36289086c819da9c8f8bf
    • Opcode Fuzzy Hash: 13d6aad8f4eaf1a56e0219e9788a9846c3e467b10d980aad396fc6d7e8c1a3e1
    • Instruction Fuzzy Hash: 7E01427254A380BED360AF7CF492F993FACEB2572CF00404EE64896385E6F61408C720
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01371546 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0136F793,00000001,00000364,?,0136ABD7,?,?,?,0136A652,00000050), ref: 01371587
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 948d97cad41e325daffeff3bdef5c00705bc36fe0eb0ef6e16b04e41e80b3ad1
    • Instruction ID: 1c1d67845c44d2d0cc8c22cc5a6b992e06ba8f1f75bfcad3a587cb042f40a586
    • Opcode Fuzzy Hash: 948d97cad41e325daffeff3bdef5c00705bc36fe0eb0ef6e16b04e41e80b3ad1
    • Instruction Fuzzy Hash: EAF0E933644325E7EF395A7AAC45B6A3F4CEF41A78F1C8021EE0AA7484DA34D90087E1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136F9E5 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,?,?,?,0136A7E9,?,0000015D,?,?,?,?,0136BCC5,000000FF,00000000,?,?), ref: 0136FA17
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 16bcc95a6ce17705916dd20bf0019bf8eab046996d01dd0ad0e85e7aa9214d12
    • Instruction ID: 35642de1d1edfc1f07d5e54d59d017094c57aba98ca570361c4556719df44927
    • Opcode Fuzzy Hash: 16bcc95a6ce17705916dd20bf0019bf8eab046996d01dd0ad0e85e7aa9214d12
    • Instruction Fuzzy Hash: 6AE02B3220431567F731267DFC21B9F7A8CDF026BCF19C121DD859208CCB60C8108BA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01351C30 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,01351BEA,?,?,?,?,?,01378AA3,000000FF), ref: 01351C4B
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: 4218aa4891350c49263b72da236c1132e7997cb8380752edf01fdeebea101622
    • Instruction ID: 619e0adf58da1dda2161361719c5c9a6e4b7c89d0cf0924803459e18dacf69ae
    • Opcode Fuzzy Hash: 4218aa4891350c49263b72da236c1132e7997cb8380752edf01fdeebea101622
    • Instruction Fuzzy Hash: 3AF08271481B158FEF728A29C458B92B7E8AB02739F045B1EC5F247AE4D3A3A18DC750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352AE7 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 01352C15: FindFirstFileW.KERNELBASE(?,?), ref: 01352C3E
      • Part of subcall function 01352C15: FindFirstFileW.KERNELBASE(?,?,?,?,00000800), ref: 01352C6C
      • Part of subcall function 01352C15: GetLastError.KERNEL32(?,?,00000800), ref: 01352C78
    • FindClose.KERNELBASE(00000000), ref: 01352B12
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Find$FileFirst$CloseErrorLast
    • String ID:
    • API String ID: 1464966427-0
    • Opcode ID: 2b25502673fbb0c51daa5289c6b751ae9469adffae71b26b1981f52e2c61ad56
    • Instruction ID: 5859d3b7f00bc3c2144d5a1a40dc21e068ad67180f954ec37537ce7c3efd7ddc
    • Opcode Fuzzy Hash: 2b25502673fbb0c51daa5289c6b751ae9469adffae71b26b1981f52e2c61ad56
    • Instruction Fuzzy Hash: 51F082314097D0EACFA35BB84844FCBBF956F2A779F008A49E9FD121A1C2B55098D772
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135F9A5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • __EH_prolog.LIBCMT ref: 0135F9AA
      • Part of subcall function 01351EE0: CreateFileW.KERNELBASE(?,?,?,00000000,00000003,08000000,00000000), ref: 01351F5F
      • Part of subcall function 01351EE0: GetLastError.KERNEL32 ref: 01351F6C
      • Part of subcall function 01351EE0: CreateFileW.KERNEL32(00000000,?,?,00000000,00000003,08000000,00000000,?,?,00000800), ref: 01351FA2
      • Part of subcall function 01351EE0: GetLastError.KERNEL32 ref: 01351FAA
      • Part of subcall function 01351EE0: SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000), ref: 01351FF9
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: File$CreateErrorLast$H_prologTime
    • String ID:
    • API String ID: 3517926197-0
    • Opcode ID: b875d3b14936ff1dd19851fed4fa10d3fea67ae886cd9055c3a5478c00ead3f5
    • Instruction ID: 32e213360b8331a0c07dced39e8de96d06f4776bce1291c9dc126a1d0d3f0c72
    • Opcode Fuzzy Hash: b875d3b14936ff1dd19851fed4fa10d3fea67ae886cd9055c3a5478c00ead3f5
    • Instruction Fuzzy Hash: 32F0307590215AEBDFA1EF54C981FDCB739FF20B48F008094AA4566190DB799A94DB20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361136 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • GdipAlloc.GDIPLUS(00000010), ref: 0136113C
      • Part of subcall function 01360EC8: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 01360EE9
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Gdip$AllocBitmapCreateFromStream
    • String ID:
    • API String ID: 1915507550-0
    • Opcode ID: 5ab87911419d104bf8d52cca4c52cd39a732c6fb385016300ad2ab0103f248f7
    • Instruction ID: e425f1d1ac718305654586124882618178e01760c8a698cd1abbc61511eee7f7
    • Opcode Fuzzy Hash: 5ab87911419d104bf8d52cca4c52cd39a732c6fb385016300ad2ab0103f248f7
    • Instruction Fuzzy Hash: 6ED0A77060020DB6DF412B249C02A6E7B9C9B51248F00C031E90595388EAB1D9109151
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013647C9 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,0135790C), ref: 013647EE
      • Part of subcall function 013620D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 013620E9
      • Part of subcall function 013620D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 013620FA
      • Part of subcall function 013620D8: IsDialogMessageW.USER32(?,?), ref: 0136210E
      • Part of subcall function 013620D8: TranslateMessage.USER32(?), ref: 0136211C
      • Part of subcall function 013620D8: DispatchMessageW.USER32(?), ref: 01362126
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Message$DialogDispatchItemPeekSendTranslate
    • String ID:
    • API String ID: 897784432-0
    • Opcode ID: bc6ed2d719a55f6c739f3bc77faf979ba99496c9c7ce9b38223a2685bc32b593
    • Instruction ID: bbbcdcb92ac25606e2e06d86cf70be6d418d5dab38366bb6e355e1783f3375db
    • Opcode Fuzzy Hash: bc6ed2d719a55f6c739f3bc77faf979ba99496c9c7ce9b38223a2685bc32b593
    • Instruction Fuzzy Hash: 0DD0C771145301BEDB512B51CD06F1B7BEABB98F09F404954B744740F4C662DD75DB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C37 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 91801e19fa7ccdb025828022cf99a0a1086f1cdeeb96e97ef66d71b22b6290da
    • Instruction ID: 6e6095471a9bacfa73beef329a2bdcb1a1fe964ca9209f44dc3fe37a9599fd48
    • Opcode Fuzzy Hash: 91801e19fa7ccdb025828022cf99a0a1086f1cdeeb96e97ef66d71b22b6290da
    • Instruction Fuzzy Hash: E4B012D5259205BCF88822492F45C37111CC2C0A5E320C21EF402D1B08E8404C4E6032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C70 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 285166c545b60ec460347a30f441a1587e061f96f5b97ddab8c113cfab66c8da
    • Instruction ID: a194d707f54585fb401703f37e5cc6bd26d372f75cefe78632dab2feb8717d66
    • Opcode Fuzzy Hash: 285166c545b60ec460347a30f441a1587e061f96f5b97ddab8c113cfab66c8da
    • Instruction Fuzzy Hash: 66B012E5259105BCF488624E2E05C37115CD1C0A5D320C11EF401C2A08EC400C0A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C66 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 88426d7e004bafb0d95ab6b3601108f9d93375f00120ba36a8b697a06ed08fdc
    • Instruction ID: 0fe221df804c18888673fb55a2cf83fab75e9c8f370339e8ccb6c674494eb596
    • Opcode Fuzzy Hash: 88426d7e004bafb0d95ab6b3601108f9d93375f00120ba36a8b697a06ed08fdc
    • Instruction Fuzzy Hash: 0FB012F5259105BDF488624D2F05C37115CC1C0A5D320C11EF401D2A08EC400D0B5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C52 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 15d2cb01f2b63a2abc11bb31ac8268b242b4818b78bb6b9efd0960a0ac2fddf9
    • Instruction ID: b2b77cb7fa7457165a1d069f40249c8e6509d6cecd011d2e2ac6d656bf9a08b8
    • Opcode Fuzzy Hash: 15d2cb01f2b63a2abc11bb31ac8268b242b4818b78bb6b9efd0960a0ac2fddf9
    • Instruction Fuzzy Hash: 09B012E5259105BCF488624D2E05C37115CC5C0A5D320C11EF801C2A08EC400C0A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C5C Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 3a3d05d5b942bdc9ece02f154fcf602b7c5d1223ab8f658fc7abe796c59b311a
    • Instruction ID: a02bb245211527e4fcd758ba31b53faef39747d8681d0991027b8a5c8eb8a054
    • Opcode Fuzzy Hash: 3a3d05d5b942bdc9ece02f154fcf602b7c5d1223ab8f658fc7abe796c59b311a
    • Instruction Fuzzy Hash: 73B012E5259205BCF4C8624D2E05C37115CC2C0A5D320C21EF401C2A08EC400C4A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CB6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 0cce2ed1aeace612594792694b251410c432d18b21e9d6632aa2ab29c5832625
    • Instruction ID: 804c1eda5ebb35ae27b577dd373d333c9d6d3f285477928ad890556b30ada218
    • Opcode Fuzzy Hash: 0cce2ed1aeace612594792694b251410c432d18b21e9d6632aa2ab29c5832625
    • Instruction Fuzzy Hash: 91B012F5659205BCF488624D2F05C3711DCC1C0A5D320C11EF401D2A08E8404C0B5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CA2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: d8af7309880e68c6afa740b1ad84b191176ef1d10112de125ff8e94acd6868e4
    • Instruction ID: 2ebb84823fc382ee9bc2ab5dd7b3033e8da8ec233778067a99ddf49a2613d64d
    • Opcode Fuzzy Hash: d8af7309880e68c6afa740b1ad84b191176ef1d10112de125ff8e94acd6868e4
    • Instruction Fuzzy Hash: 20B012D5659205BCF488625D2E05C37119CC2C0A5D320C11EF901C2A08E8404C0A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CAC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: af6ccb2a83107dadfc917e34791ad4eaa38914d61b03a194eb702feccda32bc0
    • Instruction ID: 51a80974c0c077883507a2362303c460af73b52fe87c58f1404d3891b811df15
    • Opcode Fuzzy Hash: af6ccb2a83107dadfc917e34791ad4eaa38914d61b03a194eb702feccda32bc0
    • Instruction Fuzzy Hash: 28B012D5659305BCF4C8624D2E05C37119CC2C0A5D320C21EF401C2A08E8408C4A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C98 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 441534a14dde3e0c85bee942dcc66d1c8a7e4619ee3b2c3e412829a0b44784a2
    • Instruction ID: c2f569c5ad7a4cc013cfae10aa2bf78415444da1f51d42de3e1774de15e49289
    • Opcode Fuzzy Hash: 441534a14dde3e0c85bee942dcc66d1c8a7e4619ee3b2c3e412829a0b44784a2
    • Instruction Fuzzy Hash: BAB012D526A105BCF488624D2E05C3721DDD5C0A5D320C11EF401C2A08E8400C0A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C84 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: f3c907333075eb3dd5f1baca61e35f7a11046a6883c12b106f8f676e17940a06
    • Instruction ID: 9de75986b93b48d80c5f577374bdc5be6a77b6f20067736d4faff0f30b017cee
    • Opcode Fuzzy Hash: f3c907333075eb3dd5f1baca61e35f7a11046a6883c12b106f8f676e17940a06
    • Instruction Fuzzy Hash: 0CB012E525A205BCF4C8634D2E05C37119DC2C0A5D320C21EF401C2A08E8400C4A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C8E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 920b61827804dfa054ad71e7061ce8884e7a0f22f4b6dbe81b6dbe54239f98e8
    • Instruction ID: 090e055279441ce69ee793a613adc4f4816dfe19a8e3073229def064f523a7ce
    • Opcode Fuzzy Hash: 920b61827804dfa054ad71e7061ce8884e7a0f22f4b6dbe81b6dbe54239f98e8
    • Instruction Fuzzy Hash: CCB012E525B105BCF488624D2F05C37119DC1C0A9E320C11EF401D2A08E8400D0B5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: da6f8c5965414ad572748056d305fdb5d7f8892c3b3ba7c54036b7905ccf5978
    • Instruction ID: b7ca334037b74d49ec5e38ca40c68e1e9a5768c9319fc40539996f5bf4f87756
    • Opcode Fuzzy Hash: da6f8c5965414ad572748056d305fdb5d7f8892c3b3ba7c54036b7905ccf5978
    • Instruction Fuzzy Hash: 69B012D5759105BCF488624D2E07C37115CD1C0A5D320C51EF401C2A48E8400C0A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CD4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: df72b43afd85980504ac26de81c1848142e02704354a2bf30ca11f0998f8ee4f
    • Instruction ID: bd889fb18e945f942195f73048c9db46bc58b3b25e556e84074ad82affeef4b1
    • Opcode Fuzzy Hash: df72b43afd85980504ac26de81c1848142e02704354a2bf30ca11f0998f8ee4f
    • Instruction Fuzzy Hash: 5DB012D5759205BCF4C8624D2E06C37115CC2C0A5D320C21EF401C2A08E8400C4A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 35b3babe04f4b58a5fe50c2f8168957f5478792bf683c2e592b59bdeae759d4c
    • Instruction ID: d9dff92ed61dfe128b55544dc7eeedd1f6d6c172bbf4f4360adf6ce695027881
    • Opcode Fuzzy Hash: 35b3babe04f4b58a5fe50c2f8168957f5478792bf683c2e592b59bdeae759d4c
    • Instruction Fuzzy Hash: 69B012E5359105BCF488624D6F06C37115CC1C0E5D320C11EF401D2A08E8400C0B5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CCA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 8c277743c4ccf76b9ef61d89a7b33deb6f8febc2e5d07c6eeab5dd98c17609b6
    • Instruction ID: 7234c373a26141db2f0a94f941f25e1f18c07f24af30eed2714761ee33c21899
    • Opcode Fuzzy Hash: 8c277743c4ccf76b9ef61d89a7b33deb6f8febc2e5d07c6eeab5dd98c17609b6
    • Instruction Fuzzy Hash: BFB012D5359105BCF488634E2E06C37115CC1C0A5D320C11EF801C2A08E8400C0A5032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F3A Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a29bafb9f3ebef5d38bfac9b000632de3368d8dc786a6813db00db1ef6ab401f
    • Instruction ID: db12c01182f32c22f444d17ef5f8c8c06f8744a6e88c9a2b82779b22bce4238d
    • Opcode Fuzzy Hash: a29bafb9f3ebef5d38bfac9b000632de3368d8dc786a6813db00db1ef6ab401f
    • Instruction Fuzzy Hash: 0CB012D529D101FCF00422456C05C37220CC1C0A1E320C61EF800D5404E8400C0D4037
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F73 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: c79b60bb847a927571dfb60bab5c2308d7bce6ddc45c88b0be6995b420fa9e6c
    • Instruction ID: 7da2392dd26b0f443fd75447651acc23a611d69784f4df7d468409bab49d3361
    • Opcode Fuzzy Hash: c79b60bb847a927571dfb60bab5c2308d7bce6ddc45c88b0be6995b420fa9e6c
    • Instruction Fuzzy Hash: 1FB012E529D301ACF044664D3E45C37210CC2C0A1D320C51EF500C6504E8410C0E4033
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F55 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 39c25d5a840cbd23800c95370999821930ed1c3853c0940b4bdcaa8f69611421
    • Instruction ID: 11af938dc95b1540de3d567dfd86e6a3042d64a13698d9d24cabfe860221b92b
    • Opcode Fuzzy Hash: 39c25d5a840cbd23800c95370999821930ed1c3853c0940b4bdcaa8f69611421
    • Instruction Fuzzy Hash: 63B012D52AD101BCF04466496C05D37210CD1C0A1E320C71FF400C6504E8400C0D4037
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F5F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 7b4411329eb891b7441923465b24669852ce57f9d3383d721f2972734d6b6ffa
    • Instruction ID: 69b229c553a695eecde923bd45b6445cac34ce87fd4092795387034eaf031a49
    • Opcode Fuzzy Hash: 7b4411329eb891b7441923465b24669852ce57f9d3383d721f2972734d6b6ffa
    • Instruction Fuzzy Hash: DBB012D529D201ECF044624D2C45C37210CC1C0A1D320C51EF800C6504E8400C0D4033
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01365608 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0136561A
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: d61a3bd4aec41151a5d1f47846046373ff92950c15a07b23aea7a2f4a642a251
    • Instruction ID: 2cf96cfe700cab579b5944cda54cf2fec63bd27bc56600c819912ce09df1f1b7
    • Opcode Fuzzy Hash: d61a3bd4aec41151a5d1f47846046373ff92950c15a07b23aea7a2f4a642a251
    • Instruction Fuzzy Hash: A9B0129927B1017CF004224A2D02C37210CE6C1BAD370D13EF500C0404E4400C08403A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364E7F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: eac71b4df16df093bc95dbf66db72ccd9106fffd125e085c18129ca85bcba0a4
    • Instruction ID: 4d6a3501aad4649f1db0206fd16ddcb08a63aad49aba53d2378e5d45e8b7bd79
    • Opcode Fuzzy Hash: eac71b4df16df093bc95dbf66db72ccd9106fffd125e085c18129ca85bcba0a4
    • Instruction Fuzzy Hash: 1EB012E52DD501BCF04866492C01D37121CE1C4F1D320C11EF404C1504E8450C098032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364EB1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: c08b8ea1db1f893b183bc90974df0d17932c21c897d9fc0d6bfd80837923e62f
    • Instruction ID: 8aada15bd64e48208cf1610bc9deb3f606261970124a91a3c71a246c4ea8939f
    • Opcode Fuzzy Hash: c08b8ea1db1f893b183bc90974df0d17932c21c897d9fc0d6bfd80837923e62f
    • Instruction Fuzzy Hash: 8DB012E52DD601ACF14862492C01C37121CD1C4F1D320C61EF404C1504E8410C4D8032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364E89 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 13344b9066ee5adcf825fe16e3ca2d62de09091714f8bbd4982df49e531cd57b
    • Instruction ID: 7f5a1d5d9df8ae8f09d609c6be3f9f8ab2d0174f593afc889efd75d621a1660e
    • Opcode Fuzzy Hash: 13344b9066ee5adcf825fe16e3ca2d62de09091714f8bbd4982df49e531cd57b
    • Instruction Fuzzy Hash: 6DB012E52DE601ACF14862492C01C37124CD1C8F5D320C21EF404C1504E4410C4D8032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D33 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 8b6ba7e2b597d6e53b488af2dfcc6d6888fa33bfcaf0fa5490745fecf936e92f
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: 8b6ba7e2b597d6e53b488af2dfcc6d6888fa33bfcaf0fa5490745fecf936e92f
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D3D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a743219f00ba02aba7b9c654ffcf07e686e5f5f456a9f753d0c8b4b15c229e32
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: a743219f00ba02aba7b9c654ffcf07e686e5f5f456a9f753d0c8b4b15c229e32
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D29 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 40a832a904155e1bc27a6c78604bc1a967f5ebdc9893e5821000e624c1b1a916
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: 40a832a904155e1bc27a6c78604bc1a967f5ebdc9893e5821000e624c1b1a916
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 81b3d63909a98a7c4582fd14d08e49733aaa1a4c713bdebf69672e6e9ff7725b
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: 81b3d63909a98a7c4582fd14d08e49733aaa1a4c713bdebf69672e6e9ff7725b
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: dc2df7c9c76e777950fd38842e34f01e9640fd35d763d963edc617cdaa1c6529
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: dc2df7c9c76e777950fd38842e34f01e9640fd35d763d963edc617cdaa1c6529
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D01 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 174ff43ef78d71710245b05380c64d1a558690f4cb45eaf2d821713a50f48b9a
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: 174ff43ef78d71710245b05380c64d1a558690f4cb45eaf2d821713a50f48b9a
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364D0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a0b32d5d252e098925730124f7451a5b1394685a0c5f885ea3fa3e1ebc84ba5b
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: a0b32d5d252e098925730124f7451a5b1394685a0c5f885ea3fa3e1ebc84ba5b
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364C7F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: e92f83263af42491e4b7578fbfdea5657bd00b0415cb396e12a97ab90abcf3c1
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: e92f83263af42491e4b7578fbfdea5657bd00b0415cb396e12a97ab90abcf3c1
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a3539ec7f8974541424e398e3f46a032c41e2b470baa5b03c3afbabdbef3d623
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: a3539ec7f8974541424e398e3f46a032c41e2b470baa5b03c3afbabdbef3d623
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364CC5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364C49
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 34e1ac825c60f76ae25c740da352aadef38c7e48c7bd5435f731961ab591de3a
    • Instruction ID: 7dd7b12073ea8bdcf94ed34569c131c11be89473dc90a84534e544baa718d57b
    • Opcode Fuzzy Hash: 34e1ac825c60f76ae25c740da352aadef38c7e48c7bd5435f731961ab591de3a
    • Instruction Fuzzy Hash: D5A002D5559106BCB54862556E05C37155DC5D4A59360C51DF44295548984018565035
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F6E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: b8cfdaea06722001956b0aafe146f20ddd62afe9fb121ab8594b662f82ce0206
    • Instruction ID: 9f50d1039d2944fd5d30247634f996d7de93d89d857a42f0c321951709665ac8
    • Opcode Fuzzy Hash: b8cfdaea06722001956b0aafe146f20ddd62afe9fb121ab8594b662f82ce0206
    • Instruction Fuzzy Hash: 47A001E66AE216BCB15866966D0AC3B221DC5D4AAE360CA6EF80299549A880184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F96 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 3c08e69b62320cf9df213ac78b80bb299019f5cd98a662508333b94e690edc06
    • Instruction ID: 9f50d1039d2944fd5d30247634f996d7de93d89d857a42f0c321951709665ac8
    • Opcode Fuzzy Hash: 3c08e69b62320cf9df213ac78b80bb299019f5cd98a662508333b94e690edc06
    • Instruction Fuzzy Hash: 47A001E66AE216BCB15866966D0AC3B221DC5D4AAE360CA6EF80299549A880184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F82 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a1fe978ab9a0f112e59f89c31337af9c64aa390ffd2e2be48cbf8a5615a32e88
    • Instruction ID: 9f50d1039d2944fd5d30247634f996d7de93d89d857a42f0c321951709665ac8
    • Opcode Fuzzy Hash: a1fe978ab9a0f112e59f89c31337af9c64aa390ffd2e2be48cbf8a5615a32e88
    • Instruction Fuzzy Hash: 47A001E66AE216BCB15866966D0AC3B221DC5D4AAE360CA6EF80299549A880184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F8C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364F4C
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 08c78e58c8bfa88fbe10cebdfee16b798766a245bd09380c9cb1b45b1ade7615
    • Instruction ID: 9f50d1039d2944fd5d30247634f996d7de93d89d857a42f0c321951709665ac8
    • Opcode Fuzzy Hash: 08c78e58c8bfa88fbe10cebdfee16b798766a245bd09380c9cb1b45b1ade7615
    • Instruction Fuzzy Hash: 47A001E66AE216BCB15866966D0AC3B221DC5D4AAE360CA6EF80299549A880184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364E70 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 1e543cc0225aec1d11591b83e6585f023d9abcf8616bf6114800b95a551d99f7
    • Instruction ID: 853a3668c169160da0a8512bc035dd710cc25b55ceb8adbf663e0d5c4f4cdbff
    • Opcode Fuzzy Hash: 1e543cc0225aec1d11591b83e6585f023d9abcf8616bf6114800b95a551d99f7
    • Instruction Fuzzy Hash: 7BA001E66EE606BCB14866966D06C3B121DC5D8FAA360CA2EF85684548A982184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364E7A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 9b68b334c225628228c9e7c4c5e2459c3c16112077cef8d80b20267f976c7fb7
    • Instruction ID: 853a3668c169160da0a8512bc035dd710cc25b55ceb8adbf663e0d5c4f4cdbff
    • Opcode Fuzzy Hash: 9b68b334c225628228c9e7c4c5e2459c3c16112077cef8d80b20267f976c7fb7
    • Instruction Fuzzy Hash: 7BA001E66EE606BCB14866966D06C3B121DC5D8FAA360CA2EF85684548A982184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364E55 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 681ddf9e653c395c8588ddf00d7f1b22123313d3590fa362cecec21cde766dfa
    • Instruction ID: c1bb005d338b928805e0b21bdd757e86e4e177e5e847f590a6c16356f9e0f31a
    • Opcode Fuzzy Hash: 681ddf9e653c395c8588ddf00d7f1b22123313d3590fa362cecec21cde766dfa
    • Instruction Fuzzy Hash: BCA011E22EA202BCB00822822C02C3B030CC0E0F2A320C22EF80280008A882080A8032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364EA2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 5ad4f7e98f4ec7ec82b6b68942d6c62cbb31a5423cbce54f893f80dae431d4d3
    • Instruction ID: 853a3668c169160da0a8512bc035dd710cc25b55ceb8adbf663e0d5c4f4cdbff
    • Opcode Fuzzy Hash: 5ad4f7e98f4ec7ec82b6b68942d6c62cbb31a5423cbce54f893f80dae431d4d3
    • Instruction Fuzzy Hash: 7BA001E66EE606BCB14866966D06C3B121DC5D8FAA360CA2EF85684548A982184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364EAC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 02920cff77ea114992d36d67608f76335f83fe39e7eb644586173d6e7643af19
    • Instruction ID: 853a3668c169160da0a8512bc035dd710cc25b55ceb8adbf663e0d5c4f4cdbff
    • Opcode Fuzzy Hash: 02920cff77ea114992d36d67608f76335f83fe39e7eb644586173d6e7643af19
    • Instruction Fuzzy Hash: 7BA001E66EE606BCB14866966D06C3B121DC5D8FAA360CA2EF85684548A982184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364E98 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364E62
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: c15c8d078f579a390a14eb21ea7c2c29beed27982d80bf3bc12d73c10133098a
    • Instruction ID: 853a3668c169160da0a8512bc035dd710cc25b55ceb8adbf663e0d5c4f4cdbff
    • Opcode Fuzzy Hash: c15c8d078f579a390a14eb21ea7c2c29beed27982d80bf3bc12d73c10133098a
    • Instruction Fuzzy Hash: 7BA001E66EE606BCB14866966D06C3B121DC5D8FAA360CA2EF85684548A982184A8036
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364F9B Relevance: 1.5, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 01364FA3
      • Part of subcall function 01365280: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0136528B
      • Part of subcall function 01365280: DloadReleaseSectionWriteAccess.DELAYIMP ref: 013652F3
      • Part of subcall function 01365280: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 01365304
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 1a85e5487c941559d60a4b833ddd09bf6a0db35d4cd85af038b4a7ad0448275e
    • Instruction ID: 970f2515d31998d94d40be54b1a2deba36a64254f5048022e4db41f0d1c79b0d
    • Opcode Fuzzy Hash: 1a85e5487c941559d60a4b833ddd09bf6a0db35d4cd85af038b4a7ad0448275e
    • Instruction Fuzzy Hash: 58A002E62BB202BCB14873966D06C3B121DC6D0FAA370C72EF800D4144A8801C8A8436
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352509 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
    Download Yara Rule
    APIs
    • SetEndOfFile.KERNELBASE(?,0135A6E7), ref: 0135250C
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: File
    • String ID:
    • API String ID: 749574446-0
    • Opcode ID: 294f3db3ef222d9042eb55eccac558bcff386341c42237fd17bfbc6e3cff7845
    • Instruction ID: 884a98f3a72d9d49c031f74b675320cb4cbd8153a430bc4662519795c9e3c5b7
    • Opcode Fuzzy Hash: 294f3db3ef222d9042eb55eccac558bcff386341c42237fd17bfbc6e3cff7845
    • Instruction Fuzzy Hash: 3BA0243045000D47CD311730C50410C3731F7107C470003F45007CF051C7134407C700
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361719 Relevance: 1.5, APIs: 1, Instructions: 5COMMON
    Download Yara Rule
    APIs
    • SetCurrentDirectoryW.KERNELBASE(?,01361A78,013A6D80,00000000,013A7D82,00000006), ref: 0136171D
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CurrentDirectory
    • String ID:
    • API String ID: 1611563598-0
    • Opcode ID: baa73071e0f614098b5d7902e02d7e8dff25dda5e2064d3c79efee46d8b73383
    • Instruction ID: 8cb02fa386d79e74491b2cf15e5831136e3222a42162de37076bee60fb51d894
    • Opcode Fuzzy Hash: baa73071e0f614098b5d7902e02d7e8dff25dda5e2064d3c79efee46d8b73383
    • Instruction Fuzzy Hash: 5EA011302002008BC3222A308B0AA0EBAAEAFA0B20F00C02AA20A80020CB308820AB00
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 01362D90 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 233windowfileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013511C6: GetDlgItem.USER32(00000000,00003021), ref: 0135120A
      • Part of subcall function 013511C6: SetWindowTextW.USER32(00000000,01379584), ref: 01351220
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 01362E21
    • EndDialog.USER32(?,00000006), ref: 01362E34
    • GetDlgItem.USER32(?,0000006C), ref: 01362E50
    • SetFocus.USER32(00000000), ref: 01362E57
    • SetDlgItemTextW.USER32(?,00000065,?), ref: 01362E91
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 01362EC8
    • FindFirstFileW.KERNEL32(?,?), ref: 01362EDE
      • Part of subcall function 0136172B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0136173F
      • Part of subcall function 0136172B: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01361750
      • Part of subcall function 0136172B: SystemTimeToFileTime.KERNEL32(?,?), ref: 0136175E
      • Part of subcall function 0136172B: FileTimeToSystemTime.KERNEL32(?,?), ref: 0136176C
      • Part of subcall function 0136172B: GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 01361787
      • Part of subcall function 0136172B: GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 013617AE
      • Part of subcall function 0136172B: _swprintf.LIBCMT ref: 013617D4
    • _swprintf.LIBCMT ref: 01362F27
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
    • SetDlgItemTextW.USER32(?,0000006A,?), ref: 01362F3A
    • FindClose.KERNEL32(00000000), ref: 01362F41
    • _swprintf.LIBCMT ref: 01362F90
    • SetDlgItemTextW.USER32(?,00000068,?), ref: 01362FA3
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 01362FC0
    • _swprintf.LIBCMT ref: 01362FF3
    • SetDlgItemTextW.USER32(?,0000006B,?), ref: 01363006
    • _swprintf.LIBCMT ref: 01363050
    • SetDlgItemTextW.USER32(?,00000069,?), ref: 01363063
      • Part of subcall function 01361B15: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 01361B3B
      • Part of subcall function 01361B15: GetNumberFormatW.KERNEL32 ref: 01361B8A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Item$Time$Text$_swprintf$FileSystem$FormatMessageSend$Find$CloseDateDialogFirstFocusInfoLocalLocaleNumberSpecificWindow__vswprintf_c_l
    • String ID: %s %s$REPLACEFILEDLG
    • API String ID: 3464475507-439456425
    • Opcode ID: cf2c09de2e491e774646f8e66851d051c6806c7c9a2d7ddac10205935bc2b82b
    • Instruction ID: 662b17394aad6095effec0e1b246e74af0773597f645479c7b266c99e2aafcbb
    • Opcode Fuzzy Hash: cf2c09de2e491e774646f8e66851d051c6806c7c9a2d7ddac10205935bc2b82b
    • Instruction Fuzzy Hash: 6C71B672548304BBE3319B68CC89FFB7BACEB96B04F054829FB49D6084E67595088772
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01373CFE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 2e8f36747f5e3eb6e0fd5044a96779feed0dd2047fb1a5509cb98163f4fbbb49
    • Instruction ID: e8fee5f2c83932f9fec645fb8a0e11ce84785a1e47872aaa0d9a94996c14cefa
    • Opcode Fuzzy Hash: 2e8f36747f5e3eb6e0fd5044a96779feed0dd2047fb1a5509cb98163f4fbbb49
    • Instruction Fuzzy Hash: 3BC24A71E086298FDB35CE28DD407EAB7B9EB44309F1541EAD94DE7241E778AE818F40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01365FF2 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 01365FFE
    • IsDebuggerPresent.KERNEL32 ref: 013660CA
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 013660EA
    • UnhandledExceptionFilter.KERNEL32(?), ref: 013660F4
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: 9ccb7cf3038eedba1c2878fd4c3e7a5cb4da8f182df7964bcf878553b9e49d61
    • Instruction ID: c2978be08115130a10ef556bc25dfa79538f2259eaaa26e07b89be9b8fe9ca38
    • Opcode Fuzzy Hash: 9ccb7cf3038eedba1c2878fd4c3e7a5cb4da8f182df7964bcf878553b9e49d61
    • Instruction Fuzzy Hash: F93129B5D0521DDBDF21DFA4D989BCCBBB8BF08348F1041AAE409AB244EB715A84CF45
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013650C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(80000000,0136500B,0000001C,01365200,00000000,?,?,?,?,?,?,?,0136500B,00000004,013B9274,01365290), ref: 013650D7
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0136500B,00000004,013B9274,01365290), ref: 013650F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: InfoQuerySystemVirtual
    • String ID: D
    • API String ID: 401686933-2746444292
    • Opcode ID: 17e997e56489fa3f85e04c2969b1b64d6cbc140139e107b74881882591c7519b
    • Instruction ID: ca2f741585e0029a5e676fc89b8528da0d2fb719efc0eeee33745a369dfe20b2
    • Opcode Fuzzy Hash: 17e997e56489fa3f85e04c2969b1b64d6cbc140139e107b74881882591c7519b
    • Instruction Fuzzy Hash: 4501A772A40109ABDF24DE29DC05BEE7BADAFC4368F0CC224ED59D7149DA34D951C780
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136A24F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0136A347
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0136A351
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0136A35E
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 21e8144082fc403f2636227f9857dc8ce1fc9ae0c3d55cbb91e129f209e886ec
    • Instruction ID: 398350bca227be723d714516539946c89fc9f5674a7fe2a2faf08a034bcf743f
    • Opcode Fuzzy Hash: 21e8144082fc403f2636227f9857dc8ce1fc9ae0c3d55cbb91e129f209e886ec
    • Instruction Fuzzy Hash: 7931C57490122D9BCB21DF68D989B8CBBB8BF18314F5082EAE41CA7254E7709B858F45
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01371758 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 38748ae2721d2dbdfd4fcc0935b2c90db5f6ba1db12910d645f0eaaefc8d5c67
    • Instruction ID: ef99bb24324add103d5828ec48de342e4ea3761da0c3a5f6bc00eff8044768b1
    • Opcode Fuzzy Hash: 38748ae2721d2dbdfd4fcc0935b2c90db5f6ba1db12910d645f0eaaefc8d5c67
    • Instruction Fuzzy Hash: 8C31E272900249BFDB359E7DCC84EEABBADDB85318F0442A8E919D7241E6349A458B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01373850 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: fd3dd93da610b919f8d165fbb2784f9b1b6ab208c1227b41d85b18d91c3e1033
    • Instruction ID: afad88226ba3b43d0f38fe3ee4d0624480ac3bfd6cfe59bf183600756ac1b369
    • Opcode Fuzzy Hash: fd3dd93da610b919f8d165fbb2784f9b1b6ab208c1227b41d85b18d91c3e1033
    • Instruction Fuzzy Hash: 6E023C71E002199BDF24CFADC8806AEBBF5FF48328F15816AD919E7341D735A9419B80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361B15 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 01361B3B
    • GetNumberFormatW.KERNEL32 ref: 01361B8A
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: FormatInfoLocaleNumber
    • String ID:
    • API String ID: 2169056816-0
    • Opcode ID: 2021e44e939fd7345ba7e3c5b1c3fa5683d9b1036f6fe8eb977b9ed5990c477a
    • Instruction ID: 7e40493610bcdcc6410aca94c536cb01cb5b8280dc20153056def7f44c48f025
    • Opcode Fuzzy Hash: 2021e44e939fd7345ba7e3c5b1c3fa5683d9b1036f6fe8eb977b9ed5990c477a
    • Instruction Fuzzy Hash: 21017175500309AED7209FA5DC45F9E77BCEF48728F008026FA04EB185E3709A25CBA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01351891 Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(013519FE,?,00000400), ref: 01351891
    • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 013518B2
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorFormatLastMessage
    • String ID:
    • API String ID: 3479602957-0
    • Opcode ID: 45041f3d5f731274d10f2997df5c2fde5188573fc0eb5003abd1e7961440420f
    • Instruction ID: aee555a929c5e0826e24cfc6b9bda3303eb94b0f3340845a1058a1dc0df5522a
    • Opcode Fuzzy Hash: 45041f3d5f731274d10f2997df5c2fde5188573fc0eb5003abd1e7961440420f
    • Instruction Fuzzy Hash: 55D05230244300BAFA720A204C06F2A3BADBB00B69F048104BB10A80D0C6709020A728
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135C42B Relevance: 1.9, Strings: 1, Instructions: 615COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID: 0C6L3.cpl
    • API String ID: 0-1539666090
    • Opcode ID: 691db56a405778c0c61b2dcb848517d7d8998c4d556864aa743c5135ca939414
    • Instruction ID: e77d1c356b0af3e3bb965d9ae5853a0c0f009a89f780b219d67d58a32a6de43e
    • Opcode Fuzzy Hash: 691db56a405778c0c61b2dcb848517d7d8998c4d556864aa743c5135ca939414
    • Instruction Fuzzy Hash: AE22C171504316CFC7A5DE68D89082ABBEDFB84B2CF141A2DED9197384F731D9088B92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01377E04 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,01377DFF,?,?,00000008,?,?,01377A9F,00000000), ref: 01378031
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: 2aec8ef88ff66570c2615d4b6fa93a4662782c630135eb01c61f243fee8f29b9
    • Instruction ID: 490e5c0916c06cdad0c74989af1e405c31d736e017e21db9b3242bf48cb7e0d0
    • Opcode Fuzzy Hash: 2aec8ef88ff66570c2615d4b6fa93a4662782c630135eb01c61f243fee8f29b9
    • Instruction Fuzzy Hash: 8AB11A31210609DFE725CF2CC58AB657FA0FF45368F258698E999CF2A1C339D995CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01352D8E Relevance: 1.5, APIs: 1, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(?), ref: 01352DB3
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Version
    • String ID:
    • API String ID: 1889659487-0
    • Opcode ID: 0f718a6c30a4109c07e5569d7fe1b8c9ebe3d3567e1282ce2ddfa50e80f5b67e
    • Instruction ID: 13ce6b8aa91725bedc45059326f3303f359c9317d7a171d1034cdcefc69b9fc6
    • Opcode Fuzzy Hash: 0f718a6c30a4109c07e5569d7fe1b8c9ebe3d3567e1282ce2ddfa50e80f5b67e
    • Instruction Fuzzy Hash: D9F017F4904208CBCB29CB18E882ADE77E9FB88758F500295D92593388D7709A848FA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01356B0D Relevance: 1.3, Strings: 1, Instructions: 60COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID: 0-3916222277
    • Opcode ID: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
    • Instruction ID: ff3660bc8c7c2d66a1d823b9c95cf18f8fdc40317b60209da62ee46e95bd67d3
    • Opcode Fuzzy Hash: 934ccf0cd4b67d897cb7c2438ec395f92651c0feaeced376863ec7c5dca47e2e
    • Instruction Fuzzy Hash: 021146B19047099FD7A48F5AD846B5AFBF5EB00718F50C92ED9A6E2580D371E140CB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372440 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: 9f8d2e525faa8c3c73d4be92bde00c09de7ff8c01686c11c3bcbcd43607d953e
    • Instruction ID: 0bf8f0083e15eb7143dedea8495301b3b647744309b05f0a2dd2baf7a282d987
    • Opcode Fuzzy Hash: 9f8d2e525faa8c3c73d4be92bde00c09de7ff8c01686c11c3bcbcd43607d953e
    • Instruction Fuzzy Hash: 17A001B06022018BDBA08E75A68D30A3BEDAA457A9B068169A609C6268FA248460DB01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01355AFD Relevance: .7, Instructions: 694COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 27329bd2b38ea0fc70af58ccf55552f5284fd50f828b14c9829db2735e4e426b
    • Instruction ID: f9615137fc880c777caddae59361c6c4b83886dd2e66d10cda692cf98f2b749f
    • Opcode Fuzzy Hash: 27329bd2b38ea0fc70af58ccf55552f5284fd50f828b14c9829db2735e4e426b
    • Instruction Fuzzy Hash: 66524B726187018FC718CF19C891A6AF7E1FFCC304F498A2DE9959B255D334EA19CB86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01354F3C Relevance: .3, Instructions: 284COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 730cedae5e032ea2acdef81fe9a8540f9002496c6160569bf7150c16bdff4a7c
    • Instruction ID: 99f44201b0ac8778ff310453ba443751ad2a6f1a27f711bb728f38c066eb3a2b
    • Opcode Fuzzy Hash: 730cedae5e032ea2acdef81fe9a8540f9002496c6160569bf7150c16bdff4a7c
    • Instruction Fuzzy Hash: B6D15B745083928FC755CF29E09087EFBF4AB9A310F08895EF5E58734AC231E61ADB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136B72C Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf8c5b1a7093fdd6b2c97badd3fdd53e6382018a618ee7ca9affa3e5dc6e03b1
    • Instruction ID: f1162a36ebbac12f2876fffdafeb203b14ab17e1abcbfae529981ca27d623979
    • Opcode Fuzzy Hash: bf8c5b1a7093fdd6b2c97badd3fdd53e6382018a618ee7ca9affa3e5dc6e03b1
    • Instruction Fuzzy Hash: F261AD7170034DABEE34592C8895BBEFB9CDF1120CF08C42AEA82DB68DD219D9418F55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136B4FD Relevance: .2, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction ID: bb5bd17b5662c118fa49633a437d0c7c8281c7db21608a1ee6e7fc3bbcd63451
    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction Fuzzy Hash: 325187A1700649D7EF38892C85A57FFEB9D9F1231CF08C919D782CB69EC615DA018F22
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013554DD Relevance: .2, Instructions: 161COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9615c2b8285eff84a7c5dfa0d8d9816c9273637927f61b83547e9f544fbdee3c
    • Instruction ID: 302bc222f5489a9d88f30f7e9341ef61b9cd733a735964bb205be365e5b0d5b9
    • Opcode Fuzzy Hash: 9615c2b8285eff84a7c5dfa0d8d9816c9273637927f61b83547e9f544fbdee3c
    • Instruction Fuzzy Hash: 6951F5715093D58FC702CF28D14096EFFE1AF9AA2CF4A089DE8D55B142D230E64ACB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01354878 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 234COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 0135489E
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
      • Part of subcall function 01357B9F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,013548BA,?,00000000,00000000,?,?,?,013548BA,?,?,00000050), ref: 01357BBC
    • SetDlgItemTextW.USER32(?,01384154,?), ref: 0135491F
    • GetWindowRect.USER32(?,?), ref: 01354959
    • GetClientRect.USER32(?,?), ref: 01354965
    • GetWindowLongW.USER32(?,000000F0), ref: 01354A05
    • GetWindowRect.USER32(?,?), ref: 01354A32
    • SetWindowTextW.USER32(?,?), ref: 01354A6B
    • GetSystemMetrics.USER32(00000008), ref: 01354A73
    • GetWindow.USER32(?,00000005), ref: 01354A7E
    • GetWindowRect.USER32(00000000,?), ref: 01354AAB
    • GetWindow.USER32(00000000,00000002), ref: 01354B1D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_swprintf
    • String ID: $%s:$CAPTION$d
    • API String ID: 3208934588-2512411981
    • Opcode ID: 0a06f5e166fe57396a29b52efc4baaecfd8f963958b73e9af0c10a3e39d9e26e
    • Instruction ID: f0f909cbce9cca350ac1434e54240cfec0e57340396b8572a1da941bff5b7329
    • Opcode Fuzzy Hash: 0a06f5e166fe57396a29b52efc4baaecfd8f963958b73e9af0c10a3e39d9e26e
    • Instruction Fuzzy Hash: C181A472608301AFD764DF68CD85E6FBBFDEB89718F04451DFA84A3244E670E9058B52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372F32 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 01372F76
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B2E
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B40
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B52
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B64
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B76
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B88
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372B9A
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372BAC
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372BBE
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372BD0
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372BE2
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372BF4
      • Part of subcall function 01372B11: _free.LIBCMT ref: 01372C06
    • _free.LIBCMT ref: 01372F6B
      • Part of subcall function 0136F8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?), ref: 0136F8D0
      • Part of subcall function 0136F8BA: GetLastError.KERNEL32(?,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?,?), ref: 0136F8E2
    • _free.LIBCMT ref: 01372F8D
    • _free.LIBCMT ref: 01372FA2
    • _free.LIBCMT ref: 01372FAD
    • _free.LIBCMT ref: 01372FCF
    • _free.LIBCMT ref: 01372FE2
    • _free.LIBCMT ref: 01372FF0
    • _free.LIBCMT ref: 01372FFB
    • _free.LIBCMT ref: 01373033
    • _free.LIBCMT ref: 0137303A
    • _free.LIBCMT ref: 01373057
    • _free.LIBCMT ref: 0137306F
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 242aa1dcd7aef650d79d84d6e31200c6a6c27d1f92b6390f24d2229a98178753
    • Instruction ID: b9e5d7a634ce0753e691e6736da596d57d9d43c73f0eb28a256ef3e1e52bfe72
    • Opcode Fuzzy Hash: 242aa1dcd7aef650d79d84d6e31200c6a6c27d1f92b6390f24d2229a98178753
    • Instruction Fuzzy Hash: 743152325007059FFB36AA3DE844B5BBBEDFF10218F108469E95AD7254DF39A884DB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136415E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 01364181
    • GetClassNameW.USER32(00000000,?,00000800), ref: 013641AD
      • Part of subcall function 01357D7D: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,01353108,?,?,?,013530B5,?,-00000002,?,00000000,?), ref: 01357D93
    • GetWindowLongW.USER32(00000000,000000F0), ref: 013641C9
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 013641E0
    • GetObjectW.GDI32(00000000,00000018,?), ref: 013641F4
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0136421D
    • DeleteObject.GDI32(00000000), ref: 01364224
    • GetWindow.USER32(00000000,00000002), ref: 0136422D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
    • String ID: STATIC
    • API String ID: 3820355801-1882779555
    • Opcode ID: a941a946319f00469898b5630235516ba512c78762e580e25713312ca2f7de5f
    • Instruction ID: f4a2c0cf66c0b39b39a8faece5038a506282810a514aa93d3f5f8bdc17be40e3
    • Opcode Fuzzy Hash: a941a946319f00469898b5630235516ba512c78762e580e25713312ca2f7de5f
    • Instruction Fuzzy Hash: CF113672A047117BE7316B28EC89FAF7A5CEF54759F008020FF41A708DEB68890687B4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136F671 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0136F685
      • Part of subcall function 0136F8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?), ref: 0136F8D0
      • Part of subcall function 0136F8BA: GetLastError.KERNEL32(?,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?,?), ref: 0136F8E2
    • _free.LIBCMT ref: 0136F691
    • _free.LIBCMT ref: 0136F69C
    • _free.LIBCMT ref: 0136F6A7
    • _free.LIBCMT ref: 0136F6B2
    • _free.LIBCMT ref: 0136F6BD
    • _free.LIBCMT ref: 0136F6C8
    • _free.LIBCMT ref: 0136F6D3
    • _free.LIBCMT ref: 0136F6DE
    • _free.LIBCMT ref: 0136F6EC
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 3bd744ad36be5cf2084c115e0625035ef743b4da670cd06f2f05060c444d41a0
    • Instruction ID: 0dd8114335878575a8960071587e36733a8003643ee82eba9a3ecfdc105b131e
    • Opcode Fuzzy Hash: 3bd744ad36be5cf2084c115e0625035ef743b4da670cd06f2f05060c444d41a0
    • Instruction Fuzzy Hash: 0A11A476900119BFDB01EF98E860CDD3FBEEF18254B01C1A5FA188B225DA31DE519B80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01369221 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 322700389-393685449
    • Opcode ID: 2039b88b90fa1438da33a9efe967476460f11a8b62d0fe05e685fc1f054b20b7
    • Instruction ID: a848cd008166c09e3611f8ef03175f48d3814907833e2a1f57ff1ffcccd8e830
    • Opcode Fuzzy Hash: 2039b88b90fa1438da33a9efe967476460f11a8b62d0fe05e685fc1f054b20b7
    • Instruction Fuzzy Hash: 65B16C7190020ADFCF15DFA8C980AAEBBBDFF1831CF14815AE9056B21AD771DA51CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013601D1 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 126memoryCOMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 013601F6
    • _wcslen.LIBCMT ref: 01360296
    • GlobalAlloc.KERNEL32(00000040,?), ref: 013602A5
    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 013602C6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen$AllocByteCharGlobalMultiWide
    • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
    • API String ID: 1116704506-4209811716
    • Opcode ID: 1686b8a8b5b73e4cf8bf22d5bc5fd643856ff24ae19ca273e5042afc684009ab
    • Instruction ID: 4bd283db14fae681aa1d2ad8073cf6f0a03f9bc84a99984bd1705434e10330a2
    • Opcode Fuzzy Hash: 1686b8a8b5b73e4cf8bf22d5bc5fd643856ff24ae19ca273e5042afc684009ab
    • Instruction Fuzzy Hash: E7317D322043167BE739AB78DC06F6F7BACDF52728F14800DF551A71C9EBA4990883A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01362130 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013511C6: GetDlgItem.USER32(00000000,00003021), ref: 0135120A
      • Part of subcall function 013511C6: SetWindowTextW.USER32(00000000,01379584), ref: 01351220
    • EndDialog.USER32(?,00000001), ref: 01362180
    • SendMessageW.USER32(?,00000080,00000001,?), ref: 013621A7
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 013621C0
    • SetWindowTextW.USER32(?,?), ref: 013621D1
    • GetDlgItem.USER32(?,00000065), ref: 013621DA
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 013621EE
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 01362204
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: MessageSend$Item$TextWindow$Dialog
    • String ID: LICENSEDLG
    • API String ID: 3214253823-2177901306
    • Opcode ID: e5582cdc7045b65666e9cfded37745c9c6cdfbc100dbef3a805f1455ae69db26
    • Instruction ID: c10f6478dfebdd11c6e5df2ee92508b76ed6ee035552891bce55056c5b8710b5
    • Opcode Fuzzy Hash: e5582cdc7045b65666e9cfded37745c9c6cdfbc100dbef3a805f1455ae69db26
    • Instruction Fuzzy Hash: DB21E532644209BBE2315F39EC8DE7B3B7CEB8AB89F028014F705A619CE75699019731
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136172B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0136173F
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 01361750
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0136175E
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0136176C
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 01361787
    • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032), ref: 013617AE
    • _swprintf.LIBCMT ref: 013617D4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Time$System$File$Format$DateLocalSpecific_swprintf
    • String ID: %s %s
    • API String ID: 385609497-2939940506
    • Opcode ID: 25b9772cbc1a5469725777926e9e1721a1b81d4690ddd8c6004032f4230891b7
    • Instruction ID: 3542659f2009dd2c054db4b836b9bd40fad9f0aef5807f749b83069d2441c27d
    • Opcode Fuzzy Hash: 25b9772cbc1a5469725777926e9e1721a1b81d4690ddd8c6004032f4230891b7
    • Instruction Fuzzy Hash: 402106B251019CAFDB22DFA1DC48EEF3BADFF49318F044526FA05D2105E625DA49CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136081E Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: </p>$</style>$<br>$<style>$>
    • API String ID: 176396367-3568243669
    • Opcode ID: 4d96279c7babe9063e40910478096c0c90679bdbc389fd590e29cd58928a6cea
    • Instruction ID: e0afa81a3a02af3462b8299bb8ecf145b4eb10c1d459148250cfc6208569b874
    • Opcode Fuzzy Hash: 4d96279c7babe9063e40910478096c0c90679bdbc389fd590e29cd58928a6cea
    • Instruction Fuzzy Hash: 94515F6674032355F7389A1C4C13B7A77EDDF51698F58841BFEC09B1D9FBA588408391
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01375A9D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,01376212,00000000,00000000,00000000,00000000,00000000,0136B802), ref: 01375ADF
    • __fassign.LIBCMT ref: 01375B5A
    • __fassign.LIBCMT ref: 01375B75
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 01375B9B
    • WriteFile.KERNEL32(?,00000000,00000000,01376212,00000000,?,?,?,?,?,?,?,?,?,01376212,00000000), ref: 01375BBA
    • WriteFile.KERNEL32(?,00000000,00000001,01376212,00000000,?,?,?,?,?,?,?,?,?,01376212,00000000), ref: 01375BF3
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: e82a32adac15d77fdea32503804c915ec92ac9fec255913bbc076411deffa412
    • Instruction ID: df20c04b4fc2f3b036b527e2e1ff36845857fb7328bcef9276e27e87a0716536
    • Opcode Fuzzy Hash: e82a32adac15d77fdea32503804c915ec92ac9fec255913bbc076411deffa412
    • Instruction Fuzzy Hash: E951A3B1A0020D9FDB24CFA8D885BEEBBF8EF19314F14421AE655E7291E6349941CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01368B60 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 01368B97
    • ___except_validate_context_record.LIBVCRUNTIME ref: 01368B9F
    • _ValidateLocalCookies.LIBCMT ref: 01368C28
    • __IsNonwritableInCurrentImage.LIBCMT ref: 01368C53
    • _ValidateLocalCookies.LIBCMT ref: 01368CA8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 1170836740-1018135373
    • Opcode ID: 890cab931e13b3c1e8f98afec2b1a3d8e84975d7a87d4496b3c5536eae44b115
    • Instruction ID: 394dd1b8138f4bb7e75ea81c7955430563c01923a2dea68ee0219ef0e660b94d
    • Opcode Fuzzy Hash: 890cab931e13b3c1e8f98afec2b1a3d8e84975d7a87d4496b3c5536eae44b115
    • Instruction Fuzzy Hash: 9541BF30A01309AFCF20DF6CC884A9EBBB9AF5932CF04C195E9186B35DD7719905CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013609F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • ShowWindow.USER32(?,00000000), ref: 01360A0E
    • GetWindowRect.USER32(?,?), ref: 01360A64
    • ShowWindow.USER32(?,00000005,00000000), ref: 01360B01
    • SetWindowTextW.USER32(?,00000000), ref: 01360B09
    • ShowWindow.USER32(00000000,00000005), ref: 01360B1F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Window$Show$RectText
    • String ID: RarHtmlClassName
    • API String ID: 3937224194-1658105358
    • Opcode ID: ef499c4b987c41d778775c1a13917ae55af9f1d8d7843bcd9907cc65313c7bec
    • Instruction ID: 809d9d4963bd3f17f498722bf72f0ead17e5804124dad9d2f6ba1e9378809286
    • Opcode Fuzzy Hash: ef499c4b987c41d778775c1a13917ae55af9f1d8d7843bcd9907cc65313c7bec
    • Instruction Fuzzy Hash: FD41E431404204AFDB259F68DC89B6B7FACEF48749F00C658FA496B159EB30D440CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01360475 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: $&nbsp;$<br>$<style>body{font-family:"Arial";font-size:12;}</style>
    • API String ID: 176396367-3743748572
    • Opcode ID: 3334e24d8750b0e5d7dd0145f7e9564cbfda3f986cd1f50f838b4d215d727ed7
    • Instruction ID: 7314f638fb23e610000bd50d5591e7ebdc10de3d3fbaef6f9a11e787b2a6cf51
    • Opcode Fuzzy Hash: 3334e24d8750b0e5d7dd0145f7e9564cbfda3f986cd1f50f838b4d215d727ed7
    • Instruction Fuzzy Hash: 4C315E61648306E6E639BF9C9C03B7B73ACEB40328F14C41FF99567284FA95A94083A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372CB4 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 01372C78: _free.LIBCMT ref: 01372CA1
    • _free.LIBCMT ref: 01372D02
      • Part of subcall function 0136F8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?), ref: 0136F8D0
      • Part of subcall function 0136F8BA: GetLastError.KERNEL32(?,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?,?), ref: 0136F8E2
    • _free.LIBCMT ref: 01372D0D
    • _free.LIBCMT ref: 01372D18
    • _free.LIBCMT ref: 01372D6C
    • _free.LIBCMT ref: 01372D77
    • _free.LIBCMT ref: 01372D82
    • _free.LIBCMT ref: 01372D8D
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction ID: c13564c5878925856a7b8a196e29d566b50de13f730e6ecf96edd2cb3c3ce017
    • Opcode Fuzzy Hash: ed90a822092467ab948ce4ab8a4e5ff1fef504289117e408d2aed02f462530fb
    • Instruction Fuzzy Hash: BA1193B2940F06BAE930B7F4CD05FCB7BADAF30704F404D28B7AAA6150DA38B5059790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01365011 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0136508C,01364FEF,01365290), ref: 01365028
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0136503E
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 01365053
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 667068680-1718035505
    • Opcode ID: 5c271e9ab73cd8d16743ade196053a6ea2a4014965810a14dae207d7b56ec028
    • Instruction ID: a1ccdc11fdfa1d291d87d0a92313632a570c96915206d6cbb2f112427a9ce07e
    • Opcode Fuzzy Hash: 5c271e9ab73cd8d16743ade196053a6ea2a4014965810a14dae207d7b56ec028
    • Instruction Fuzzy Hash: C9F0C871746217ABEF324D799CC4AAA779C6B023EC308813DDB41DAA0CE611C845D7D0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01368EEA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,01368EE1,01368E6C,013661F4), ref: 01368EF8
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01368F06
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01368F1F
    • SetLastError.KERNEL32(00000000,01368EE1,01368E6C,013661F4), ref: 01368F71
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: f6f52f21804a8f4f008880e674c94bd9bccb3b28570383a65022e20d493d09c1
    • Instruction ID: 886048d367b779444e657cce1131e5be6ac428fdf5fac71e781ccea06083941f
    • Opcode Fuzzy Hash: f6f52f21804a8f4f008880e674c94bd9bccb3b28570383a65022e20d493d09c1
    • Instruction Fuzzy Hash: A601B5322197139EE6356E7D7C44A2A3A5DEB1577CB308369E210694DCFE5248459344
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136F765 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,0136ABD7,?,?,?,0136A652,00000050), ref: 0136F769
    • _free.LIBCMT ref: 0136F79C
    • _free.LIBCMT ref: 0136F7C4
    • SetLastError.KERNEL32(00000000), ref: 0136F7D1
    • SetLastError.KERNEL32(00000000), ref: 0136F7DD
    • _abort.LIBCMT ref: 0136F7E3
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: 2b06e35595b11a4be7bee804d48ab18bf32b53a39e7b187f6b66b48f2eddfe1b
    • Instruction ID: 13ed8b5e5fe386be4914889b492e1b4f94201ce8a5d9fd7ad0b8290154a9b549
    • Opcode Fuzzy Hash: 2b06e35595b11a4be7bee804d48ab18bf32b53a39e7b187f6b66b48f2eddfe1b
    • Instruction Fuzzy Hash: 7CF0CD37200602A6D733363C7C55B1B297D5FD17BDF258224F915D258DEF2988014220
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01363939 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000800,?), ref: 0136394F
      • Part of subcall function 013531E2: _wcslen.LIBCMT ref: 013531E8
    • _swprintf.LIBCMT ref: 01363983
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
    • SetDlgItemTextW.USER32(?,00000066,013A7D82), ref: 013639A3
    • EndDialog.USER32(?,00000001), ref: 01363AB0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcslen
    • String ID: %s%s%u
    • API String ID: 110358324-1360425832
    • Opcode ID: 73f700b94ef2da12fcc6fd074ae867426cbdf13f3c4eab4471cc2b74cc96deec
    • Instruction ID: 89b6dc4930bb254a2bc0e2ac6fe93e9e1cfc1abf0855977ccd962c1cbd857142
    • Opcode Fuzzy Hash: 73f700b94ef2da12fcc6fd074ae867426cbdf13f3c4eab4471cc2b74cc96deec
    • Instruction Fuzzy Hash: 66416472900119AADF31DB98CC44FEE77BCFB14748F8080A6EA0DA7145EB719A449FA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013535E5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 01353609
    • GetCurrentDirectoryW.KERNEL32(000007FF,?,000000FF,000000FF,?,?,?,?,01352763,000000FF,?,00000800,?,?,01351D8F,?), ref: 013536A7
    • _wcslen.LIBCMT ref: 0135371D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen$CurrentDirectory
    • String ID: UNC$\\?\
    • API String ID: 3341907918-253988292
    • Opcode ID: 3d62bec54ad4333958a04cb866f95f540292a66bb11c7fd0b7a7c96ce9d9382a
    • Instruction ID: b73fa990f45a01c6501c9e17b814f5ea52b3d50206a60619eb414438ebabb894
    • Opcode Fuzzy Hash: 3d62bec54ad4333958a04cb866f95f540292a66bb11c7fd0b7a7c96ce9d9382a
    • Instruction Fuzzy Hash: 2141C3B184025ABACB61AF2CCC41EEE7B79BF11FECB404129FD14A7100E7719A4087A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136224D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(00000065), ref: 0136225D
    • GetObjectW.GDI32(00000000,00000018,?), ref: 01362282
    • DeleteObject.GDI32(00000000), ref: 013622B4
    • DeleteObject.GDI32(00000000), ref: 013622D7
      • Part of subcall function 013611D2: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,013622AD,00000066), ref: 013611E5
      • Part of subcall function 013611D2: SizeofResource.KERNEL32(00000000,?,?,?,013622AD,00000066), ref: 013611FC
      • Part of subcall function 013611D2: LoadResource.KERNEL32(00000000,?,?,?,013622AD,00000066), ref: 01361213
      • Part of subcall function 013611D2: LockResource.KERNEL32(00000000,?,?,?,013622AD,00000066), ref: 01361222
      • Part of subcall function 013611D2: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,013622AD,00000066), ref: 0136123D
      • Part of subcall function 013611D2: GlobalLock.KERNEL32 ref: 0136124E
      • Part of subcall function 013611D2: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 013612B7
      • Part of subcall function 013611D2: GlobalUnlock.KERNEL32(00000000), ref: 013612D6
      • Part of subcall function 013611D2: GlobalFree.KERNEL32 ref: 013612DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
    • String ID: ]
    • API String ID: 1428510222-3352871620
    • Opcode ID: 38172ebfb3500ca5d6d565f670e6e61f2d1e7688b65d8ca63706d0e94ffb1036
    • Instruction ID: 88021aad8e049acbdf30575b736deb4254ee0f3c45f5e7474f8a6956f0744950
    • Opcode Fuzzy Hash: 38172ebfb3500ca5d6d565f670e6e61f2d1e7688b65d8ca63706d0e94ffb1036
    • Instruction Fuzzy Hash: B101D232900606ABDB62276C8C09A6F7E7EABC1B99F054014EE00B728CEF35880546A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013640C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013511C6: GetDlgItem.USER32(00000000,00003021), ref: 0135120A
      • Part of subcall function 013511C6: SetWindowTextW.USER32(00000000,01379584), ref: 01351220
    • EndDialog.USER32(?,00000001), ref: 0136410B
    • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 01364121
    • SetDlgItemTextW.USER32(?,00000066,?), ref: 01364135
    • SetDlgItemTextW.USER32(?,00000068), ref: 01364144
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ItemText$DialogWindow
    • String ID: RENAMEDLG
    • API String ID: 445417207-3299779563
    • Opcode ID: 5b85165075cf8954891e1ea550836e7224eb1d62a53a36d8a811c309b882710e
    • Instruction ID: 07d76b4c6c7eb72d512afe150e46dacacf1bcb1664606b7935d0b05998574846
    • Opcode Fuzzy Hash: 5b85165075cf8954891e1ea550836e7224eb1d62a53a36d8a811c309b882710e
    • Instruction Fuzzy Hash: E701D432B80614FBE2319F69AC89F6B7BACFBAAB4AF004415F301A71C8C76155458775
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136E447 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0136E3F8,00000003,?,0136E398,00000003,01381D50,0000000C,0136E4EF,00000003,00000002), ref: 0136E467
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0136E47A
    • FreeLibrary.KERNEL32(00000000,?,?,?,0136E3F8,00000003,?,0136E398,00000003,01381D50,0000000C,0136E4EF,00000003,00000002,00000000), ref: 0136E49D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 605a880c7e05e25d5e620bf2bf6a1ab170eb69df96c1c9050a5be696238f047f
    • Instruction ID: fc8f4db93ba461b9a22840c704201776fc4fd19230b57aa90a867e8b29bccd49
    • Opcode Fuzzy Hash: 605a880c7e05e25d5e620bf2bf6a1ab170eb69df96c1c9050a5be696238f047f
    • Instruction Fuzzy Hash: 2FF0443151021DBBDB219BA5EC49B9D7FBCDF04769F008168F909A2254DB754A44CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013558FC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 01356B9C: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 01356BB7
      • Part of subcall function 01356B9C: LoadLibraryW.KERNELBASE(?,?,0135590F,Crypt32.dll,00000000,01355989,?,?,0135596C,00000000,00000000,?,00000000), ref: 01356BD9
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0135591B
    • GetProcAddress.KERNEL32(0138E028,CryptUnprotectMemory), ref: 0135592B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AddressProc$DirectoryLibraryLoadSystem
    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
    • API String ID: 2141747552-1753850145
    • Opcode ID: 58834f193251776aee9f62dae5ad518057c8d0b40aadd4ae12b20a0c69142340
    • Instruction ID: 83b8fdc8e159fa1a2861653166775c7b99317702f079f8b818dd8decf69584b9
    • Opcode Fuzzy Hash: 58834f193251776aee9f62dae5ad518057c8d0b40aadd4ae12b20a0c69142340
    • Instruction Fuzzy Hash: 77E04F70851741AEDB715F39A889B81BAE89F25B3CF01891DE8DAD2200D6BAE0808B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01368FCA Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AdjustPointer$_abort
    • String ID:
    • API String ID: 2252061734-0
    • Opcode ID: b8e0c3fbc9d648a8bdac64ddfcf786759b18bfc7dec21684c893b7ff7e10f032
    • Instruction ID: ddfc5b98ed055bc5d4a4a80135da9650e528e21f9903658aaec057df1232ea98
    • Opcode Fuzzy Hash: b8e0c3fbc9d648a8bdac64ddfcf786759b18bfc7dec21684c893b7ff7e10f032
    • Instruction Fuzzy Hash: A151D172604206DFEF298F19D845B6A7BBDEF5431CF24C52DDA054B698E732E841C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372340 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 01372349
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0137236C
      • Part of subcall function 0136F9E5: RtlAllocateHeap.NTDLL(00000000,?,?,?,0136A7E9,?,0000015D,?,?,?,?,0136BCC5,000000FF,00000000,?,?), ref: 0136FA17
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01372392
    • _free.LIBCMT ref: 013723A5
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 013723B4
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: ebf4be9bdf28f2279034b217c6b2be92c058d65501e715dfeb9610f6d4a8b7ff
    • Instruction ID: 0b7215b9dee3437221bc9e061d50dd069ef6a4f1e3c4261e3d205b3b85fec397
    • Opcode Fuzzy Hash: ebf4be9bdf28f2279034b217c6b2be92c058d65501e715dfeb9610f6d4a8b7ff
    • Instruction Fuzzy Hash: AE0184726016157FF33119AE6C8CD7B6E7EEFC2A68316027DFE04D3244DA688C0182B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136F7E9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,0136F9D7,01371598,?,0136F793,00000001,00000364,?,0136ABD7,?,?,?,0136A652,00000050), ref: 0136F7EE
    • _free.LIBCMT ref: 0136F823
    • _free.LIBCMT ref: 0136F84A
    • SetLastError.KERNEL32(00000000), ref: 0136F857
    • SetLastError.KERNEL32(00000000), ref: 0136F860
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: afa4b5d673332c8742c949396e33adc167edc47b1cf63b0389890d7b2ced7188
    • Instruction ID: f2746d7ccbccbfecdc66ad3efd994f82383094d1858e413cc8765ae1434ec3bf
    • Opcode Fuzzy Hash: afa4b5d673332c8742c949396e33adc167edc47b1cf63b0389890d7b2ced7188
    • Instruction Fuzzy Hash: A001F977200726A7D333667D7CA4B2B2E6EDFD137CB218178FA15D2699EA24C8018360
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372C0F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 01372C27
      • Part of subcall function 0136F8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?), ref: 0136F8D0
      • Part of subcall function 0136F8BA: GetLastError.KERNEL32(?,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?,?), ref: 0136F8E2
    • _free.LIBCMT ref: 01372C39
    • _free.LIBCMT ref: 01372C4B
    • _free.LIBCMT ref: 01372C5D
    • _free.LIBCMT ref: 01372C6F
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 713038242a3407beb07b8597e4c48d485801f51700b4e72e08540ef5ada336e8
    • Instruction ID: 6539e0677d21954ae3779a09af7c792579197bd605bafa31a99594edd9f7652c
    • Opcode Fuzzy Hash: 713038242a3407beb07b8597e4c48d485801f51700b4e72e08540ef5ada336e8
    • Instruction Fuzzy Hash: 31F06273500612ABEA30DFACF6C4D5B7BEEBA247147644809F918D7A09CB38F8808750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01357D9F Relevance: 7.5, APIs: 5, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 01357DA7
    • _wcslen.LIBCMT ref: 01357DB8
    • _wcslen.LIBCMT ref: 01357DC8
    • _wcslen.LIBCMT ref: 01357DD6
    • CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,00000000,00000000,?,01352F91,?,?,00000000,?,?,?), ref: 01357DF1
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen$CompareString
    • String ID:
    • API String ID: 3397213944-0
    • Opcode ID: 8433a848b0fb8bf53853a98660613c9640ea45c9e5bcb51f6ba6904e6b0a786d
    • Instruction ID: cb99dfc045a0c65f388da1a69ffc4ada13673c888c17fcf2c2387484243f3da4
    • Opcode Fuzzy Hash: 8433a848b0fb8bf53853a98660613c9640ea45c9e5bcb51f6ba6904e6b0a786d
    • Instruction Fuzzy Hash: 7CF03033448069BBCF121F55EC08DDE7F2AFB40B74B15C415F9296B064CA329551D790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136EEE0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 0136EEFE
      • Part of subcall function 0136F8BA: RtlFreeHeap.NTDLL(00000000,00000000,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?), ref: 0136F8D0
      • Part of subcall function 0136F8BA: GetLastError.KERNEL32(?,?,01372CA6,?,00000000,?,00000000,?,01372CCD,?,00000007,?,?,013730CA,?,?), ref: 0136F8E2
    • _free.LIBCMT ref: 0136EF10
    • _free.LIBCMT ref: 0136EF23
    • _free.LIBCMT ref: 0136EF34
    • _free.LIBCMT ref: 0136EF45
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 3a8290c2ca40695626bcd4cbf59537677641b91d243e584e15e515c15261b1e8
    • Instruction ID: d20dd229a98d582c41db8ae9fce7bcf577210138ec234bf3ba274a90db47da92
    • Opcode Fuzzy Hash: 3a8290c2ca40695626bcd4cbf59537677641b91d243e584e15e515c15261b1e8
    • Instruction Fuzzy Hash: 22F0D0B58007229BDB33AF28B8916493FFDF715719B064155FB159625CEB3505498BC0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013573D1 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 197COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _swprintf
    • String ID: %ls$%s: %s
    • API String ID: 589789837-2259941744
    • Opcode ID: a16c31bbe64680393c0da70e13b42a389b8bb2e350c1ff60fcb738cc6ec56978
    • Instruction ID: a4ebe7082966df75e35893171b356e1431de7432a9b09ee4aed30a109f98171d
    • Opcode Fuzzy Hash: a16c31bbe64680393c0da70e13b42a389b8bb2e350c1ff60fcb738cc6ec56978
    • Instruction Fuzzy Hash: 4851CB71288749FAFBA12A9DCC41F367E5EAB24F0CF808906FFC6748E0D5A191509767
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136E542 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\eN0ONo7Zrw.exe,00000104), ref: 0136E582
    • _free.LIBCMT ref: 0136E64D
    • _free.LIBCMT ref: 0136E657
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\eN0ONo7Zrw.exe
    • API String ID: 2506810119-3520326165
    • Opcode ID: a271332a0ce3e06bfdae48357025400110474ef25dfec24d5ea427c2fad62b12
    • Instruction ID: 5cfc0beaeff18730497ec11334fa0bc6db9debb3dcaca611662c3d9f5b223f89
    • Opcode Fuzzy Hash: a271332a0ce3e06bfdae48357025400110474ef25dfec24d5ea427c2fad62b12
    • Instruction Fuzzy Hash: 773156B5A04219EFDB21DF9D988499EBBFCEF95718F108076EA0497208E7709E44CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013695C6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 013695EB
    • _abort.LIBCMT ref: 013696F6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: EncodePointer_abort
    • String ID: MOC$RCC
    • API String ID: 948111806-2084237596
    • Opcode ID: 1f63a5c936c1726fb708fd19e9309e2fa8ada6e40ad93759308a036e113ce51a
    • Instruction ID: a5c6d3c9498420d2d3e80eea17fb272d9585a6133a5dbc39c3a71e1d9a0943c4
    • Opcode Fuzzy Hash: 1f63a5c936c1726fb708fd19e9309e2fa8ada6e40ad93759308a036e113ce51a
    • Instruction Fuzzy Hash: 80414971900209AFDF16DF98CC80BAEBBB9FF48328F148059FA1967219D3359950DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01353E7C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
    • __fprintf_l.LIBCMT ref: 01353EE4
    • _strncpy.LIBCMT ref: 01353F2A
      • Part of subcall function 01357B9F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,013548BA,?,00000000,00000000,?,?,?,013548BA,?,?,00000050), ref: 01357BBC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_strncpy
    • String ID: $%s$@%s
    • API String ID: 562999700-834177443
    • Opcode ID: 7dc395d583aef702d669d136ec668c5efb819ef808a2cf18b46355d310279f5a
    • Instruction ID: b8242a55d77812721d5388dd543b3e930b25cbe469573573309a37aad9c267c2
    • Opcode Fuzzy Hash: 7dc395d583aef702d669d136ec668c5efb819ef808a2cf18b46355d310279f5a
    • Instruction Fuzzy Hash: BF21F07290020CAAEF21DEA8CC05FEE3BECBB01B98F000526FE1496290E771D208CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361DE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013511C6: GetDlgItem.USER32(00000000,00003021), ref: 0135120A
      • Part of subcall function 013511C6: SetWindowTextW.USER32(00000000,01379584), ref: 01351220
    • EndDialog.USER32(?,00000001), ref: 01361E2E
    • GetDlgItemTextW.USER32(?,00000066,?,00000200), ref: 01361E46
    • SetDlgItemTextW.USER32(?,00000067,?), ref: 01361E74
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ItemText$DialogWindow
    • String ID: GETPASSWORD1
    • API String ID: 445417207-3292211884
    • Opcode ID: db05b77bd810eaa4f43d3a42b8da3503cf16a586d57c164c3b5b2c7c570cd1eb
    • Instruction ID: ee29b33795ce13a1a031d2448a1984d7ec513dd034c4aaef59f9aee18697e763
    • Opcode Fuzzy Hash: db05b77bd810eaa4f43d3a42b8da3503cf16a586d57c164c3b5b2c7c570cd1eb
    • Instruction Fuzzy Hash: 6F110472940219BAEB219E789C8DFBB7B7CEB8970CF044020FB09B3188D274D901C660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01364739 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID:
    • String ID: RENAMEDLG$REPLACEFILEDLG
    • API String ID: 0-56093855
    • Opcode ID: a9c09df00017d476b76c141d7f163f540b840d142b656daf38fe27597eeddd8a
    • Instruction ID: ab03cd178d3a9bde799658355858d858b912c60824d02191bbd1fca5ff33f527
    • Opcode Fuzzy Hash: a9c09df00017d476b76c141d7f163f540b840d142b656daf38fe27597eeddd8a
    • Instruction Fuzzy Hash: 800188B1A04545BFE7215F69FC85A667FADE707759F04C026FA15D3228D3364850CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01358EA8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
    Download Yara Rule
    APIs
    • std::_Xinvalid_argument.LIBCPMT ref: 01358EAD
      • Part of subcall function 013655CD: std::invalid_argument::invalid_argument.LIBCONCRT ref: 013655D9
      • Part of subcall function 013655CD: ___delayLoadHelper2@8.DELAYIMP ref: 013655FF
    • std::_Xinvalid_argument.LIBCPMT ref: 01358EB8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Xinvalid_argumentstd::_$Helper2@8Load___delaystd::invalid_argument::invalid_argument
    • String ID: string too long$vector too long
    • API String ID: 2355824318-1617939282
    • Opcode ID: 174962dbf31513a8e08e9a3a39a917c25f0f12a9e3f39c32ceb08135938922a8
    • Instruction ID: 2cbb604460a3ce81ebb01bed5ffa57f16f6f787e4643459c0d30d402b7f4ba9c
    • Opcode Fuzzy Hash: 174962dbf31513a8e08e9a3a39a917c25f0f12a9e3f39c32ceb08135938922a8
    • Instruction Fuzzy Hash: 13F0A731200345ABC3306E4EEC45D4BB7FDEB95E6CB50065EEA4687601D7F0A90487B5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136FDC1 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID:
    • API String ID: 1036877536-0
    • Opcode ID: d44050169a961246a75403e81249a310e18b1805ed77af15c25c3f8bfb7b45ee
    • Instruction ID: b6d3a824a1e2152072fbb5b42f3c3c1cbf026756c3c3c8073e7e24b15c35ccec
    • Opcode Fuzzy Hash: d44050169a961246a75403e81249a310e18b1805ed77af15c25c3f8bfb7b45ee
    • Instruction Fuzzy Hash: 57A16E719043869FE736CF1CD8A07AEBFEDEF16328F1481ADE5959B281C2388945C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013528B2 Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
    Download Yara Rule
    APIs
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000), ref: 01352958
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800), ref: 0135299C
    • SetFileTime.KERNEL32(?,?,?,00000000), ref: 01352A1D
    • CloseHandle.KERNEL32(?), ref: 01352A24
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: File$Create$CloseHandleTime
    • String ID:
    • API String ID: 2287278272-0
    • Opcode ID: 9b0c28996aaa9f717572d478a03f251215ba91e51a21f66c197de16118981ecb
    • Instruction ID: 83ce09bd325170e8703bb1c72ec428cd3512f195a3dd967bcedfa28ebc2958a9
    • Opcode Fuzzy Hash: 9b0c28996aaa9f717572d478a03f251215ba91e51a21f66c197de16118981ecb
    • Instruction Fuzzy Hash: EA41CD31248381EAE731DE28DC51FEBBBE8AF95B58F04091DFAD093280C664DA48D752
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01372D98 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,F4E85006,0136AD29,00000000,00000000,0136BD5E,?,0136BD5E,?,00000001,0136AD29,F4E85006,00000001,0136BD5E,0136BD5E), ref: 01372DE5
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 01372E6E
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 01372E80
    • __freea.LIBCMT ref: 01372E89
      • Part of subcall function 0136F9E5: RtlAllocateHeap.NTDLL(00000000,?,?,?,0136A7E9,?,0000015D,?,?,?,?,0136BCC5,000000FF,00000000,?,?), ref: 0136FA17
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: 4842577bf5735f80e5bcf538cd23585a641bd30c01d46ffb934f7c2bff64868a
    • Instruction ID: 0b3c189494a8ddf6a2d20e3b5ea1f330765706e97d8fa5cdd6967259a664943c
    • Opcode Fuzzy Hash: 4842577bf5735f80e5bcf538cd23585a641bd30c01d46ffb934f7c2bff64868a
    • Instruction Fuzzy Hash: 4031AE72A0020AAFDF358F69DC44EAF7BA9EB55318F044628FC08E7150E739C950CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361173 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 01361176
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 01361185
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 01361193
    • ReleaseDC.USER32(00000000,00000000), ref: 013611A1
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: 00f8a3eaa609c1109c66b3cbaf906d5c40febc9f1d67d0e12d93e42de14209fb
    • Instruction ID: 6b29be303c5f2eb2993e7aa5f4649e7f9f48eb8c207a6ee09703293a613bf2e5
    • Opcode Fuzzy Hash: 00f8a3eaa609c1109c66b3cbaf906d5c40febc9f1d67d0e12d93e42de14209fb
    • Instruction Fuzzy Hash: CFE0EC31986F20ABD3302B64A84DB963EACBB19752F004142F70697188E76545048B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0136131C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 238COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013611A9: GetDC.USER32(00000000), ref: 013611AD
      • Part of subcall function 013611A9: GetDeviceCaps.GDI32(00000000,0000000C), ref: 013611B8
      • Part of subcall function 013611A9: ReleaseDC.USER32(00000000,00000000), ref: 013611C3
    • GetObjectW.GDI32(?,00000018,?), ref: 0136134C
      • Part of subcall function 013615DE: GetDC.USER32(00000000), ref: 013615E7
      • Part of subcall function 013615DE: GetObjectW.GDI32(?,00000018,?,?,?,?,?,?,?,?,?,01361339,?,?,?), ref: 01361616
      • Part of subcall function 013615DE: ReleaseDC.USER32(00000000,?), ref: 013616AE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ObjectRelease$CapsDevice
    • String ID: (
    • API String ID: 1061551593-3887548279
    • Opcode ID: 2f214eefe30ac37ab25c95ca4aef5dd9fea39d0d2c201ecd36fd0aba315fc1b1
    • Instruction ID: df3fa60a1ecc4e92b7e12a70c13f7c77098f2f9b24731132be0bdba0f8a3f29b
    • Opcode Fuzzy Hash: 2f214eefe30ac37ab25c95ca4aef5dd9fea39d0d2c201ecd36fd0aba315fc1b1
    • Instruction Fuzzy Hash: 2191C071608348AFC720DF25D844A2BBBFCFBC9718F10895DF59AD7264DA70A805CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135DDBA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 220COMMON
    Download Yara Rule
    APIs
    • __allrem.LIBCMT ref: 0135DDD6
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0135DF32
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
    • String ID: CA+
    • API String ID: 1992179935-3359862159
    • Opcode ID: 6cea6c3a33a1dcc0c3037a4528463b10396a12988b8c2d66b3ab5ebc6f857696
    • Instruction ID: 17f6e0270ba47a509236a09549e66e68101dd99242fd5dd6a823bfd07245c3b4
    • Opcode Fuzzy Hash: 6cea6c3a33a1dcc0c3037a4528463b10396a12988b8c2d66b3ab5ebc6f857696
    • Instruction Fuzzy Hash: 86818071600216DFD764DF28E884B2A77AAFB84718F150A39E815D7398F732E9048F51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013715C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 01371734
      • Part of subcall function 0136A446: IsProcessorFeaturePresent.KERNEL32(00000017,0136A418,00000003,?,00000000,0136F3B0,00000000,00000016,?,?,0136A425,00000000,00000000,00000000,00000000,00000000), ref: 0136A448
      • Part of subcall function 0136A446: GetCurrentProcess.KERNEL32(C0000417,?,00000003,0136F7E8), ref: 0136A46A
      • Part of subcall function 0136A446: TerminateProcess.KERNEL32(00000000,?,00000003,0136F7E8), ref: 0136A471
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
    • String ID: *?$.
    • API String ID: 2667617558-3972193922
    • Opcode ID: c19b6910c70e6d2bb048fb15ca3b27fb97d6692790e10f063fe099939b87b22a
    • Instruction ID: 807dcf685cb8728daf8732ca68bd6981e8c6c4446159a5ab89d6c11cb0e910e0
    • Opcode Fuzzy Hash: c19b6910c70e6d2bb048fb15ca3b27fb97d6692790e10f063fe099939b87b22a
    • Instruction Fuzzy Hash: 2C517276E0010A9FDF25DFACC8809ADFBF9EF58318F258169D955E7340E6399A018B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01361FFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: }
    • API String ID: 176396367-4239843852
    • Opcode ID: 190a4b048bbe10d0729796efa1f246df9ad5123fe94a1e1b8ce6376dfef91f8d
    • Instruction ID: c091def4cc38b954fbbb3d6dc70a663a33ebcb8eb9dcece030eda8ecb5856dba
    • Opcode Fuzzy Hash: 190a4b048bbe10d0729796efa1f246df9ad5123fe94a1e1b8ce6376dfef91f8d
    • Instruction Fuzzy Hash: 9B21F62290431B5AD731EA68D844B6BB7DDDF4166CF42842AE540C7149E7A5D94CC3A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01355971 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 013558FC: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 0135591B
      • Part of subcall function 013558FC: GetProcAddress.KERNEL32(0138E028,CryptUnprotectMemory), ref: 0135592B
    • GetCurrentProcessId.KERNEL32(?,?,?,0135596C), ref: 013559FF
    Strings
    • CryptProtectMemory failed, xrefs: 013559B6
    • CryptUnprotectMemory failed, xrefs: 013559F7
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: AddressProc$CurrentProcess
    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
    • API String ID: 2190909847-396321323
    • Opcode ID: a0d1e4b1f5d2cbbfe8db6016e9e780554173770b3b00372927a73c21ac4c06eb
    • Instruction ID: b5b5dd505d7452813301ba98182c7fe762f0c47dc78d6aecb470532a828bbc48
    • Opcode Fuzzy Hash: a0d1e4b1f5d2cbbfe8db6016e9e780554173770b3b00372927a73c21ac4c06eb
    • Instruction Fuzzy Hash: 1211E932601329ABEB679F29E841E6D3B79FF45F7CB048119EC015F245D624BD0187D1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01353502 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 01353529
      • Part of subcall function 01352AA2: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 01352AB5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: __vswprintf_c_l_swprintf
    • String ID: %c:\
    • API String ID: 1543624204-3142399695
    • Opcode ID: 79387d3c803a186a279cf848487ac347d5847c31116009c19284cb46298f032c
    • Instruction ID: 784a356bab209937e61861b9d99552ab1695360099cf58a700a1b71d4ad3a497
    • Opcode Fuzzy Hash: 79387d3c803a186a279cf848487ac347d5847c31116009c19284cb46298f032c
    • Instruction Fuzzy Hash: F301D2A3504312E9EB706B6E9C45D6BBBACFEA5AF8750980EF944C6041FA20D44082A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013647FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 01364836
    • DialogBoxParamW.USER32(GETPASSWORD1,?,01361DE0,?), ref: 01364871
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: DialogParamVisibleWindow
    • String ID: GETPASSWORD1
    • API String ID: 3157717868-3292211884
    • Opcode ID: a017900a362de74251787673f90a15f642a587f95c8412a6950d4ead2b0cddae
    • Instruction ID: b483e167874519ed7e646b2516c771846ad3c05e4567d2f9cfd87cc5e26e3fe1
    • Opcode Fuzzy Hash: a017900a362de74251787673f90a15f642a587f95c8412a6950d4ead2b0cddae
    • Instruction Fuzzy Hash: BF114C31544295AFDB229E6CDC41FFA7FACAB0578DF048035FD45E3149C6A45984CBB1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 013511C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 01354878: _swprintf.LIBCMT ref: 0135489E
      • Part of subcall function 01354878: SetDlgItemTextW.USER32(?,01384154,?), ref: 0135491F
      • Part of subcall function 01354878: GetWindowRect.USER32(?,?), ref: 01354959
      • Part of subcall function 01354878: GetClientRect.USER32(?,?), ref: 01354965
    • GetDlgItem.USER32(00000000,00003021), ref: 0135120A
    • SetWindowTextW.USER32(00000000,01379584), ref: 01351220
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: ItemRectTextWindow$Client_swprintf
    • String ID: 0
    • API String ID: 758586884-4108050209
    • Opcode ID: 632e01476704d3ad38a58bdc2a790f6a707835f7f0de7b9d37c704465957fdcd
    • Instruction ID: fc5615035fc957221862303f9def5fa9fc61b71d5742344af6bb689b436274b5
    • Opcode Fuzzy Hash: 632e01476704d3ad38a58bdc2a790f6a707835f7f0de7b9d37c704465957fdcd
    • Instruction Fuzzy Hash: CEF04F7050028DABEF961E69881CFF93F98AF55B9EF04810CFE4896191EB79C194EB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01358ABB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: _swprintf
    • String ID: z%s%02d$z%s%d
    • API String ID: 589789837-468824935
    • Opcode ID: c2107ca49adf10cc47779f0b7664c05c53bc14c1fd969bce8addcfb3bde77f22
    • Instruction ID: c768a0c27d56fb42dad8964a42ec7f31a868c46e8b9f68eea851a39244acff28
    • Opcode Fuzzy Hash: c2107ca49adf10cc47779f0b7664c05c53bc14c1fd969bce8addcfb3bde77f22
    • Instruction Fuzzy Hash: B1F0B4B9400109ABEF60AE498C40EEB776DEF98A6CF004155ED0267141D635D95987B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0135482E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,01353FE5,?), ref: 01354833
    • FindResourceW.KERNEL32(00000000,RTL,00000005,?,01353FE5,?), ref: 01354841
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.236769390.0000000001351000.00000020.00000001.01000000.00000003.sdmp, Offset: 01350000, based on PE: true
    • Associated: 00000000.00000002.236763269.0000000001350000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236778521.0000000001379000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001384000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.000000000138A000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.0000000001395000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236784018.00000000013B9000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.236798754.00000000013BA000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1350000_eN0ONo7Zrw.jbxd
    Similarity
    • API ID: FindHandleModuleResource
    • String ID: RTL
    • API String ID: 3537982541-834975271
    • Opcode ID: 9ecd25de0827fb7a85ffd39b28d30f375f010c22a8d3163f861c3d2b8e9ab384
    • Instruction ID: e28501d894eeb9f90ab509230244b18db48089839f4075049fd2702bbb097a71
    • Opcode Fuzzy Hash: 9ecd25de0827fb7a85ffd39b28d30f375f010c22a8d3163f861c3d2b8e9ab384
    • Instruction Fuzzy Hash: 91C0123165035056EB3116357C0DB832E5C7B00B3DF05074CB6029A184D7E5C441C760
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:27.4%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:9.5%
    Total number of Nodes:42
    Total number of Limit Nodes:8
    execution_graph 1376 b51122 VirtualProtect 1378 b511a9 1376->1378 1377 b51322 1378->1376 1378->1377 1379 47c1f54 1382 47c1fb0 1379->1382 1380 47c2400 1381 47c227b VirtualAlloc 1381->1382 1382->1380 1382->1381 1383 47c24a4 VirtualProtect 1382->1383 1384 47c2527 VirtualProtect 1382->1384 1385 47c2563 VirtualProtect 1382->1385 1387 48e8260 1382->1387 1383->1382 1384->1382 1385->1382 1388 48e82b2 1387->1388 1389 48e8396 1388->1389 1391 48e5ee0 1388->1391 1389->1382 1393 48e5f5f 1391->1393 1392 48e609a 1392->1388 1393->1392 1397 48e1820 1393->1397 1403 48e7f70 1393->1403 1407 48e55b0 1393->1407 1399 48e1865 1397->1399 1398 48e1dc9 1398->1393 1399->1398 1400 48e7f70 VirtualAlloc 1399->1400 1402 48e55b0 VirtualFree 1399->1402 1411 48e5d33 1399->1411 1400->1399 1402->1399 1406 48e7ffe 1403->1406 1404 48e813e 1404->1393 1405 48e8090 VirtualAlloc 1405->1406 1406->1404 1406->1405 1410 48e5637 1407->1410 1408 48e56b6 VirtualFree 1408->1410 1409 48e5749 1409->1393 1410->1408 1410->1409 1412 48e5d17 1411->1412 1412->1411 1413 48e5d52 NtCreateThreadEx 1412->1413 1414 48e5db7 1412->1414 1413->1412 1414->1399 1415 b5201a 1416 b5202f 1415->1416 1421 b51685 VirtualAlloc 1416->1421 1418 b52052 1423 b51021 VirtualProtect 1418->1423 1422 b51714 1421->1422 1422->1418 1424 b510a2 1423->1424 1425 b510db VirtualProtect 1424->1425 1426 b5111d 1425->1426

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_047C2B7C 1 Function_00B540B7 2 Function_00B521B0 3 Function_00B513BD 4 Function_047C2B70 5 Function_047C3370 5->5 27 Function_047C2F38 5->27 42 Function_047C4511 5->42 45 Function_047C5404 5->45 87 Function_047C2EA6 5->87 6 Function_048E5880 7 Function_00B51DA0 81 Function_00B52770 7->81 8 Function_00B530AD 9 Function_048E1597 10 Function_048E1490 11 Function_048E8990 12 Function_048E7D90 13 Function_00B51390 14 Function_047C1F54 14->5 46 Function_047C1000 14->46 56 Function_047C26E8 14->56 98 Function_048E8260 14->98 15 Function_00B51D9F 15->81 16 Function_00B5189E 17 Function_00B51D99 18 Function_047C3350 19 Function_00B52398 20 Function_00B5139B 23 Function_00B52081 20->23 21 Function_00B51685 21->3 54 Function_00B51F24 21->54 21->81 22 Function_00B53084 24 Function_00B51B83 24->3 66 Function_00B5261C 24->66 25 Function_048E55B0 26 Function_047C333C 28 Function_00B518FF 29 Function_00B514FE 30 Function_047C3330 31 Function_047C5832 32 Function_048E12C0 33 Function_00B542E0 34 Function_047C1124 35 Function_00B525D7 36 Function_00B523D1 37 Function_047C2F18 38 Function_048E5CEB 39 Function_00B517DC 40 Function_00B51EDF 40->66 41 Function_00B523D8 42->0 42->26 89 Function_047C1BA0 42->89 43 Function_048E5EE0 43->25 50 Function_048E1008 43->50 68 Function_048E1820 43->68 78 Function_048E824C 43->78 101 Function_048E7F70 43->101 44 Function_00B51EC0 65 Function_047C25D4 46->65 83 Function_047C1DB4 46->83 47 Function_00B525C8 48 Function_047C53F8 49 Function_048E180B 51 Function_048E5C04 52 Function_048E1000 53 Function_048E5C00 60 Function_00B52714 54->60 55 Function_00B51021 55->60 55->81 57 Function_00B51122 57->81 58 Function_048E5910 59 Function_048E1810 61 Function_00B54114 62 Function_047C14DE 63 Function_00B51E11 64 Function_047C58D8 65->83 66->41 67 Function_00B52218 68->25 68->51 76 Function_048E5D33 68->76 68->101 69 Function_00B5201A 69->21 69->23 69->55 79 Function_00B52571 69->79 100 Function_00B51842 69->100 70 Function_00B51F1A 71 Function_00B54005 72 Function_00B54007 73 Function_00B51000 74 Function_047C12CB 75 Function_00B5400F 77 Function_00B51E0A 80 Function_00B51D71 82 Function_047C1AB9 84 Function_048E8240 85 Function_00B52762 86 Function_00B52162 88 Function_00B51C6E 88->3 88->66 90 Function_048E1050 91 Function_047C5A9C 92 Function_047C1B9D 93 Function_047C2E99 94 Function_047C5A99 95 Function_00B52553 96 Function_00B51E5D 97 Function_00B51658 98->43 99 Function_047C5A89

    Executed Functions

    Function 047C1F54 Relevance: 6.5, APIs: 4, Instructions: 462memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 047C2299
    • VirtualProtect.KERNELBASE(?,?,?,?,?,00000000,048D3B70), ref: 047C24CA
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 047C2549
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 047C2585
    Memory Dump Source
    • Source File: 00000002.00000002.236481392.00000000047C1000.00000020.00001000.00020000.00000000.sdmp, Offset: 047C1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_47c1000_rundll32.jbxd
    Similarity
    • API ID: Virtual$Protect$Alloc
    • String ID:
    • API String ID: 2541858876-0
    • Opcode ID: 61a8cb1c603debe83f13b2e7bff6ec50a2c5a2c003de16ddd9aec75a98801850
    • Instruction ID: d0548851cc4ee88a967caeb3af36ee23a1dbc35d802f67e3360a997683653538
    • Opcode Fuzzy Hash: 61a8cb1c603debe83f13b2e7bff6ec50a2c5a2c003de16ddd9aec75a98801850
    • Instruction Fuzzy Hash: 7F124C72E005198FDB18CF65CC54AEEB7B6BFC8314F14C1AED509AB255DA346A86CF80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 048E55B0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 216COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 134 48e55b0-48e5633 135 48e5637-48e5668 134->135 135->135 136 48e566a-48e56ab 135->136 137 48e56b2-48e56b4 136->137 138 48e56b6-48e56f1 VirtualFree 137->138 139 48e56f3-48e56fd 137->139 138->137 140 48e56ff-48e5709 139->140 141 48e575c-48e576c 139->141 142 48e570b-48e5715 140->142 143 48e5749-48e5759 140->143 144 48e5770-48e5774 141->144 145 48e5736-48e5747 142->145 146 48e5717-48e5720 142->146 144->137 145->144 147 48e5722-48e572c 146->147 148 48e5730-48e5734 146->148 147->137 149 48e572e-48e5879 147->149 148->144 149->137
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 048E56DB
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.236503615.00000000048E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 048E1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_48e1000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID: SlT&
    • API String ID: 1263568516-3052097721
    • Opcode ID: cdfc6f4b4a538e8d0ff24f9b60e6b4c327a115cb6fcd37598ab7700bf7ef14e8
    • Instruction ID: 370d896413a8e4b4a7b9b321e029e53e410010900216b101b5208ec92a62cd02
    • Opcode Fuzzy Hash: cdfc6f4b4a538e8d0ff24f9b60e6b4c327a115cb6fcd37598ab7700bf7ef14e8
    • Instruction Fuzzy Hash: 758181326097419FC314CE79C84066BB7E3BBC9314F168A6DE498DB354DB75E846CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 048E5D33 Relevance: 1.6, APIs: 1, Instructions: 135nativethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 198 48e5d33-48e5d35 199 48e5d37-48e5d38 198->199 200 48e5d95-48e5d9d 198->200 203 48e5d3a-48e5d4f 199->203 204 48e5d52-48e5d7d NtCreateThreadEx 199->204 201 48e5d9f-48e5da7 200->201 202 48e5dda 200->202 205 48e5da9-48e5db1 201->205 206 48e5dc7-48e5dd8 201->206 207 48e5ddd-48e5de1 202->207 203->204 208 48e5d80-48e5d93 204->208 209 48e5d17-48e5d19 205->209 210 48e5db7-48e5dc6 205->210 206->207 207->209 208->209 211 48e5d1f-48e5d27 209->211 212 48e5de6-48e5dff 209->212 213 48e5d2d-48e5d32 211->213 214 48e5e04-48e5ecc 211->214 212->209 213->198 214->208
    APIs
    • NtCreateThreadEx.NTDLL(?,?), ref: 048E5D72
    Memory Dump Source
    • Source File: 00000002.00000002.236503615.00000000048E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 048E1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_48e1000_rundll32.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 5983ad10b8f2cc418dc5679e298e71a293e2b4af7e9fba881a2b74f639afc0bb
    • Instruction ID: 85a60c0b80c9160a1d074ce099118fc1c04d1e972106d721ae7e6351d3ad7bf6
    • Opcode Fuzzy Hash: 5983ad10b8f2cc418dc5679e298e71a293e2b4af7e9fba881a2b74f639afc0bb
    • Instruction Fuzzy Hash: B9515B72A00119DFDF14CFA9C984AADBBB2FB88314F2586A5E418EB255DB30ED51CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 048E7F70 Relevance: 1.4, APIs: 1, Instructions: 198memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 217 48e7f70-48e7ff9 218 48e7ffe-48e8031 217->218 218->218 219 48e8033-48e804a 218->219 220 48e813e-48e814e 219->220 221 48e8050-48e806e 219->221 222 48e8074-48e807e 221->222 223 48e811e-48e8134 222->223 224 48e8084-48e808e 222->224 227 48e8136-48e8138 223->227 225 48e80d9-48e80e3 224->225 226 48e8090-48e80d7 VirtualAlloc 224->226 228 48e8107-48e811c 225->228 229 48e80e5-48e80ef 225->229 226->227 227->220 227->222 228->227 230 48e8151-48e8230 229->230 231 48e80f1-48e80fb 229->231 230->227 231->227 232 48e80fd-48e8105 231->232 232->227
    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 048E80C1
    Memory Dump Source
    • Source File: 00000002.00000002.236503615.00000000048E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 048E1000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_48e1000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 596cbc6a0c3e9698a861d62efa9f361159e7d232f320c70891fb823c99822c3f
    • Instruction ID: 329ff6c285531e96e93d7ed0fb204a508816a0e8806fc645ffabc1c67458e65b
    • Opcode Fuzzy Hash: 596cbc6a0c3e9698a861d62efa9f361159e7d232f320c70891fb823c99822c3f
    • Instruction Fuzzy Hash: C5719033A183518FC314DF69C98052AB7E2BBD8314F1A8E2DE599EB350D735E805CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B51021 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 112 b51021-b5111b VirtualProtect call b52770 call b52714 call b52770 VirtualProtect 119 b51183-b5119e 112->119 120 b5111d-b51260 112->120 122 b511a4-b512e9 119->122 123 b51322-b5138b call b52770 119->123 120->119 122->123
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.236441421.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: `
    • API String ID: 544645111-2679148245
    • Opcode ID: d6151342797c1f7537d3d2a8d669c32fa48df093d63a1df8de8eec2e4c204d47
    • Instruction ID: 9962fcd982be558670acb596917ea0419da44bd16ee3942964c9e6c7e4e936bd
    • Opcode Fuzzy Hash: d6151342797c1f7537d3d2a8d669c32fa48df093d63a1df8de8eec2e4c204d47
    • Instruction Fuzzy Hash: A0819DB4E052188FDB18CF99C990B9DBBF1FF48310F2585AAD909AB352D735A985CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B51122 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 127 b51122-b5117e VirtualProtect 128 b512f4-b5131c 127->128 129 b51322-b5138b call b52770 128->129 130 b511a9-b5121e 128->130 130->128 132 b51224 130->132 132->127
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000002.00000002.236441421.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: `
    • API String ID: 544645111-2679148245
    • Opcode ID: 5e1dbfebc0862d02240908e21059dd03b4f6f383f7f6a2a9cf7ca49ac71ccd01
    • Instruction ID: d1473af8785166c0990a35b893e29ee930ee52d350b1b52f661f22e720aaa44b
    • Opcode Fuzzy Hash: 5e1dbfebc0862d02240908e21059dd03b4f6f383f7f6a2a9cf7ca49ac71ccd01
    • Instruction Fuzzy Hash: 67419CB5E006288FDB54CF58C980B88BBB1FF48314F1581E9CA09AB356D771AD95CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00B51685 Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 235 b51685-b5174a VirtualAlloc call b51f24 call b52770 240 b51766-b517db call b52101 call b513bd 235->240 241 b5174c-b51763 235->241 241->240
    APIs
    Memory Dump Source
    • Source File: 00000002.00000002.236441421.0000000000B50000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B50000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_2_2_b50000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 29516217bdf7ffddd56053c7a8babcd07650cd4b0498675dde91ee9eb19ff9db
    • Instruction ID: 5bf018473fa9e9f394424d280300c9ba544549e795c7b174178cdd4b03ad1b62
    • Opcode Fuzzy Hash: 29516217bdf7ffddd56053c7a8babcd07650cd4b0498675dde91ee9eb19ff9db
    • Instruction Fuzzy Hash: 1F41E2B49012058FDB04DFA8C5947AEBBF0FF48308F2485ADD858AB351D37AA946CF95
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:27.4%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:0%
    Total number of Nodes:42
    Total number of Limit Nodes:8
    execution_graph 1376 4741f54 1377 4741fb0 1376->1377 1378 4742400 1377->1378 1379 474227b VirtualAlloc 1377->1379 1380 47424a4 VirtualProtect 1377->1380 1381 4742527 VirtualProtect 1377->1381 1382 4742563 VirtualProtect 1377->1382 1384 4868260 1377->1384 1379->1377 1380->1377 1381->1377 1382->1377 1385 48682b2 1384->1385 1386 4868396 1385->1386 1388 4865ee0 1385->1388 1386->1377 1390 4865f5f 1388->1390 1389 486609a 1389->1385 1390->1389 1394 4861820 1390->1394 1400 4867f70 1390->1400 1404 48655b0 1390->1404 1396 4861865 1394->1396 1395 4861dc9 1395->1390 1396->1395 1397 4867f70 VirtualAlloc 1396->1397 1399 48655b0 VirtualFree 1396->1399 1408 4865d33 1396->1408 1397->1396 1399->1396 1403 4867ffe 1400->1403 1401 486813e 1401->1390 1402 4868090 VirtualAlloc 1402->1403 1403->1401 1403->1402 1407 4865637 1404->1407 1405 48656b6 VirtualFree 1405->1407 1406 4865749 1406->1390 1407->1405 1407->1406 1409 4865d17 1408->1409 1409->1408 1410 4865d52 NtCreateThreadEx 1409->1410 1411 4865db7 1409->1411 1410->1409 1411->1396 1412 6b201a 1413 6b202f 1412->1413 1418 6b1685 VirtualAlloc 1413->1418 1415 6b2052 1420 6b1021 VirtualProtect 1415->1420 1419 6b1714 1418->1419 1419->1415 1421 6b10a2 1420->1421 1422 6b10db VirtualProtect 1421->1422 1423 6b111d 1422->1423 1424 6b1122 VirtualProtect 1425 6b11a9 1424->1425 1425->1424 1426 6b1322 1425->1426

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_006B4068 1 Function_04742B70 2 Function_04743370 2->2 29 Function_04742F38 2->29 33 Function_04744511 2->33 40 Function_04745404 2->40 79 Function_04742EA6 2->79 3 Function_006B1C6E 45 Function_006B261C 3->45 81 Function_006B13BD 3->81 4 Function_04865880 5 Function_04742B7C 6 Function_006B2762 7 Function_006B2162 8 Function_04861597 9 Function_04861490 10 Function_04868990 11 Function_04867D90 12 Function_006B1D71 13 Function_006B2571 14 Function_006B2770 15 Function_04741F54 15->2 44 Function_04741000 15->44 59 Function_047426E8 15->59 85 Function_04868260 15->85 16 Function_04743350 17 Function_006B1842 18 Function_006B1658 19 Function_006B1E5D 20 Function_048655B0 21 Function_006B2553 22 Function_006B4028 23 Function_04743330 24 Function_048612C0 25 Function_04745832 26 Function_0474333C 27 Function_006B1122 27->14 28 Function_006B1021 28->14 47 Function_006B2714 28->47 30 Function_006B1F24 30->47 31 Function_04741124 32 Function_006B1E0A 33->5 33->26 80 Function_04741BA0 33->80 34 Function_04865EE0 34->20 54 Function_04861008 34->54 62 Function_04861820 34->62 76 Function_0486824C 34->76 99 Function_04867F70 34->99 35 Function_006B1000 36 Function_006B4007 37 Function_04742F18 38 Function_04865CEB 39 Function_006B4005 41 Function_006B201A 41->13 41->17 41->28 89 Function_006B2081 41->89 92 Function_006B1685 41->92 42 Function_006B1F1A 43 Function_006B2218 60 Function_047425D4 44->60 73 Function_04741DB4 44->73 66 Function_006B23D8 45->66 46 Function_006B1E11 48 Function_006B4114 49 Function_04865C04 50 Function_04861000 51 Function_04865C00 52 Function_047453F8 53 Function_0486180B 55 Function_006B18FF 56 Function_006B14FE 57 Function_04865910 58 Function_04861810 60->73 61 Function_006B25C8 62->20 62->49 68 Function_04865D33 62->68 62->99 63 Function_047414DE 64 Function_006B1EC0 65 Function_047458D8 67 Function_006B1EDF 67->45 69 Function_006B17DC 70 Function_006B23D1 71 Function_006B25D7 72 Function_047412CB 74 Function_006B30AD 75 Function_04868240 77 Function_006B1DA0 77->14 78 Function_04741AB9 82 Function_04861050 83 Function_006B21B0 84 Function_006B40B7 85->34 86 Function_006B1B83 86->45 86->81 87 Function_04745A9C 88 Function_04741B9D 90 Function_04742E99 91 Function_04745A99 92->14 92->30 92->81 93 Function_006B3084 94 Function_006B139B 94->89 95 Function_006B1D99 96 Function_006B2398 97 Function_006B1D9F 97->14 98 Function_006B189E 100 Function_006B1390 101 Function_04745A89

    Executed Functions

    Function 04741F54 Relevance: 6.5, APIs: 4, Instructions: 462memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04742299
    • VirtualProtect.KERNELBASE(?,?,?,?,?,00000000,04853B70), ref: 047424CA
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04742549
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 04742585
    Memory Dump Source
    • Source File: 00000004.00000002.236230234.0000000004741000.00000020.00001000.00020000.00000000.sdmp, Offset: 04741000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_4741000_rundll32.jbxd
    Similarity
    • API ID: Virtual$Protect$Alloc
    • String ID:
    • API String ID: 2541858876-0
    • Opcode ID: ac1fd12a31c672e6ad9eb8bae5ac66c2a3a9e5fcb3c2406db48bcc6802b14d5e
    • Instruction ID: e48278afe05eb67d831013828af5677b0319042f8a0f7c99ec4f0a8da1109237
    • Opcode Fuzzy Hash: ac1fd12a31c672e6ad9eb8bae5ac66c2a3a9e5fcb3c2406db48bcc6802b14d5e
    • Instruction Fuzzy Hash: 19126C72E005298FDB18CF65CC54AEEB7B6BFC8314F14C1AAD509AB255DB346A86CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 048655B0 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 216COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 134 48655b0-4865633 135 4865637-4865668 134->135 135->135 136 486566a-48656ab 135->136 137 48656b2-48656b4 136->137 138 48656b6-48656f1 VirtualFree 137->138 139 48656f3-48656fd 137->139 138->137 140 48656ff-4865709 139->140 141 486575c-486576c 139->141 142 486570b-4865715 140->142 143 4865749-4865759 140->143 144 4865770-4865774 141->144 145 4865736-4865747 142->145 146 4865717-4865720 142->146 144->137 145->144 147 4865722-486572c 146->147 148 4865730-4865734 146->148 147->137 149 486572e-4865879 147->149 148->144 149->137
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 048656DB
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.236251090.0000000004861000.00000020.00001000.00020000.00000000.sdmp, Offset: 04861000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_4861000_rundll32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID: SlT&
    • API String ID: 1263568516-3052097721
    • Opcode ID: 8dfdc43ea2a0bd4bf9eb434597a83c857d446b3fbff145128693845f59591f9a
    • Instruction ID: 4c9d99f64dc34786a2e302331de1674e8c882f230e3261963fa54d8ddd4cb76c
    • Opcode Fuzzy Hash: 8dfdc43ea2a0bd4bf9eb434597a83c857d446b3fbff145128693845f59591f9a
    • Instruction Fuzzy Hash: 55819F326087419FC314CE39D84065BB7E3BBC8314F268A6DE499DB354DA75E846CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04865D33 Relevance: 1.6, APIs: 1, Instructions: 135nativethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 198 4865d33-4865d35 199 4865d37-4865d38 198->199 200 4865d95-4865d9d 198->200 201 4865d52-4865d7d NtCreateThreadEx 199->201 202 4865d3a-4865d4f 199->202 203 4865d9f-4865da7 200->203 204 4865dda 200->204 205 4865d80-4865d93 201->205 202->201 206 4865dc7-4865dd8 203->206 207 4865da9-4865db1 203->207 208 4865ddd-4865de1 204->208 209 4865d17-4865d19 205->209 206->208 207->209 210 4865db7-4865dc6 207->210 208->209 211 4865de6-4865dff 209->211 212 4865d1f-4865d27 209->212 211->209 213 4865e04-4865ecc 212->213 214 4865d2d-4865d32 212->214 213->205 214->198
    APIs
    • NtCreateThreadEx.NTDLL(?,?), ref: 04865D72
    Memory Dump Source
    • Source File: 00000004.00000002.236251090.0000000004861000.00000020.00001000.00020000.00000000.sdmp, Offset: 04861000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_4861000_rundll32.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 0e7745319151d52b531f4a13a023137e32cd0dcd8d22d8cf90cf35590f0aefcc
    • Instruction ID: f07ca994a9bc1be86c2e4a45cd33504f6c8979d014b148199e7d47b778459d1b
    • Opcode Fuzzy Hash: 0e7745319151d52b531f4a13a023137e32cd0dcd8d22d8cf90cf35590f0aefcc
    • Instruction Fuzzy Hash: BF516D32A001189FDF55CFA8D984A9DBBB2FB88310F258665D419EB255DB30ED51CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04867F70 Relevance: 1.4, APIs: 1, Instructions: 198memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 217 4867f70-4867ff9 218 4867ffe-4868031 217->218 218->218 219 4868033-486804a 218->219 220 4868050-486806e 219->220 221 486813e-486814e 219->221 222 4868074-486807e 220->222 223 4868084-486808e 222->223 224 486811e-4868134 222->224 225 4868090-48680d7 VirtualAlloc 223->225 226 48680d9-48680e3 223->226 227 4868136-4868138 224->227 225->227 228 4868107-486811c 226->228 229 48680e5-48680ef 226->229 227->221 227->222 228->227 230 4868151-4868230 229->230 231 48680f1-48680fb 229->231 230->227 231->227 232 48680fd-4868105 231->232 232->227
    APIs
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 048680C1
    Memory Dump Source
    • Source File: 00000004.00000002.236251090.0000000004861000.00000020.00001000.00020000.00000000.sdmp, Offset: 04861000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_4861000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 05399aca026281436e2da0dd446eccb118b5e85de4d251c5a5b109d12b6efcb9
    • Instruction ID: 89a24ef55a89f123733689a4c2c71929dbf66f9e7c7ae0aaeac27519e9b5ede4
    • Opcode Fuzzy Hash: 05399aca026281436e2da0dd446eccb118b5e85de4d251c5a5b109d12b6efcb9
    • Instruction Fuzzy Hash: 48719D73A183518FC354CE69C88061AB7E2BBD8314F1A8E2DE599EB350D735E905CB82
    Uniqueness

    Uniqueness Score: -1.00%

    Function 006B1021 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 112 6b1021-6b111b VirtualProtect call 6b2770 call 6b2714 call 6b2770 VirtualProtect 119 6b111d-6b1260 112->119 120 6b1183-6b119e 112->120 119->120 122 6b1322-6b138b call 6b2770 120->122 123 6b11a4-6b12e9 120->123 123->122
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.236187385.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6b0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: `
    • API String ID: 544645111-2679148245
    • Opcode ID: d6151342797c1f7537d3d2a8d669c32fa48df093d63a1df8de8eec2e4c204d47
    • Instruction ID: d2bf24ebf880e5439c688fd6c6a40725bb421e7cb41060d927118aea3fd7aeee
    • Opcode Fuzzy Hash: d6151342797c1f7537d3d2a8d669c32fa48df093d63a1df8de8eec2e4c204d47
    • Instruction Fuzzy Hash: 0F819FB4E042188FDB14CF99C990A9DBBF1FF48310F2581AED909AB351D734A985CF84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 006B1122 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 127 6b1122-6b117e VirtualProtect 128 6b12f4-6b131c 127->128 129 6b11a9-6b121e 128->129 130 6b1322-6b138b call 6b2770 128->130 129->128 132 6b1224 129->132 132->127
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.236187385.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6b0000_rundll32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: `
    • API String ID: 544645111-2679148245
    • Opcode ID: 5e1dbfebc0862d02240908e21059dd03b4f6f383f7f6a2a9cf7ca49ac71ccd01
    • Instruction ID: b9c4204ad4696b4b1a9191bfe28978aea58b27320b1c32c6a626bc8e5249a01f
    • Opcode Fuzzy Hash: 5e1dbfebc0862d02240908e21059dd03b4f6f383f7f6a2a9cf7ca49ac71ccd01
    • Instruction Fuzzy Hash: 14419DB5E00228CFDB54CF58C990B88BBB2FF49314F5581A9CA08AB356D771AD91CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 006B1685 Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 235 6b1685-6b174a VirtualAlloc call 6b1f24 call 6b2770 240 6b174c-6b1763 235->240 241 6b1766-6b17db call 6b2101 call 6b13bd 235->241 240->241
    APIs
    Memory Dump Source
    • Source File: 00000004.00000002.236187385.00000000006B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_6b0000_rundll32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 29516217bdf7ffddd56053c7a8babcd07650cd4b0498675dde91ee9eb19ff9db
    • Instruction ID: bc1a3cd3a70af82cf15500ee7a14d2af766fefadaea3007668342a0b6c1258b2
    • Opcode Fuzzy Hash: 29516217bdf7ffddd56053c7a8babcd07650cd4b0498675dde91ee9eb19ff9db
    • Instruction Fuzzy Hash: E14132B09012058FDB04CFA8C5947AEBBF0FF48308F24856DD858AB341D37AA986CF95
    Uniqueness

    Uniqueness Score: -1.00%