Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
qd_x86.exe

Overview

General Information

Sample name:qd_x86.exe
Analysis ID:1427912
MD5:31b1a881401e0ba0cad4c56f1e32c48e
SHA1:19e491a4c69de056c77d05ba671870818d4f7f80
SHA256:7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Check for Windows Defender sandbox
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found evasive API chain checking for process token information
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • qd_x86.exe (PID: 2716 cmdline: "C:\Users\user\Desktop\qd_x86.exe" MD5: 31B1A881401E0BA0CAD4C56F1E32C48E)
    • conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: qd_x86.exeReversingLabs: Detection: 35%
Source: qd_x86.exeVirustotal: Detection: 42%Perma Link
Machine Learning detection for sample
Source: qd_x86.exeJoe Sandbox ML: detected
Source: qd_x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: qd_x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00568074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00568074
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00567C8A FindFirstFileExW,0_2_00567C8A
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005821A00_2_005821A0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005542430_2_00554243
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005723EF0_2_005723EF
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0056C42E0_2_0056C42E
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005844C00_2_005844C0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005545A20_2_005545A2
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005808000_2_00580800
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005549100_2_00554910
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0053ABC10_2_0053ABC1
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00554C6F0_2_00554C6F
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0058EC3F0_2_0058EC3F
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0057AD5D0_2_0057AD5D
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00554FCD0_2_00554FCD
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005390680_2_00539068
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0057D2000_2_0057D200
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005352FF0_2_005352FF
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005713700_2_00571370
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0055533A0_2_0055533A
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005556980_2_00555698
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0055386E0_2_0055386E
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005718A00_2_005718A0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0058F9AF0_2_0058F9AF
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00555A8C0_2_00555A8C
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00553BB00_2_00553BB0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0057DC080_2_0057DC08
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00571CF00_2_00571CF0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00535EEE0_2_00535EEE
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00555E8F0_2_00555E8F
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0056FE890_2_0056FE89
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00553F010_2_00553F01
Source: C:\Users\user\Desktop\qd_x86.exeCode function: String function: 00536E70 appears 63 times
Source: C:\Users\user\Desktop\qd_x86.exeCode function: String function: 00531140 appears 54 times
Source: C:\Users\user\Desktop\qd_x86.exeCode function: String function: 00561F12 appears 35 times
Source: C:\Users\user\Desktop\qd_x86.exeCode function: String function: 00562DA3 appears 56 times
Source: qd_x86.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Users\user\Desktop\qd_x86.exeCommand line argument: ~LX0_2_00584BD0
Source: qd_x86.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\qd_x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: qd_x86.exeReversingLabs: Detection: 35%
Source: qd_x86.exeVirustotal: Detection: 42%
Source: unknownProcess created: C:\Users\user\Desktop\qd_x86.exe "C:\Users\user\Desktop\qd_x86.exe"
Source: C:\Users\user\Desktop\qd_x86.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: samcli.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeSection loaded: kernel.appcore.dllJump to behavior
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: qd_x86.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: qd_x86.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Z:\j\projects\qbot4\Release\Win32\qd_x86.pdb source: qd_x86.exe
Source: qd_x86.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: qd_x86.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: qd_x86.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: qd_x86.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: qd_x86.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00533E91 LoadLibraryA,GetProcAddress,0_2_00533E91
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00584D3B push ecx; ret 0_2_00584D4E
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00536EC0 push ecx; ret 0_2_00536ED3

Malware Analysis System Evasion

barindex
Check for Windows Defender sandbox
Source: C:\Users\user\Desktop\qd_x86.exeFile Queried: C:\INTERNAL\__emptyJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-50523
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00568074 FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00568074
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00567C8A FindFirstFileExW,0_2_00567C8A
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00534540 GetSystemInfo,0_2_00534540
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005622A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005622A5
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00533E91 LoadLibraryA,GetProcAddress,0_2_00533E91
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_0056D5EA GetProcessHeap,0_2_0056D5EA
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005622A5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005622A5
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00536C0A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00536C0A
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00536DA0 SetUnhandledExceptionFilter,0_2_00536DA0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005372F7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_005372F7
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00537109 cpuid 0_2_00537109
Source: C:\Users\user\Desktop\qd_x86.exeCode function: EnumSystemLocalesW,0_2_00562779
Source: C:\Users\user\Desktop\qd_x86.exeCode function: EnumSystemLocalesW,0_2_005628E6
Source: C:\Users\user\Desktop\qd_x86.exeCode function: EnumSystemLocalesW,0_2_00562918
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_0056C9C1
Source: C:\Users\user\Desktop\qd_x86.exeCode function: EnumSystemLocalesW,0_2_0056CC6D
Source: C:\Users\user\Desktop\qd_x86.exeCode function: EnumSystemLocalesW,0_2_0056CCD6
Source: C:\Users\user\Desktop\qd_x86.exeCode function: EnumSystemLocalesW,0_2_0056CD71
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_0056CDFC
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetLocaleInfoW,0_2_0056D04F
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0056D178
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetLocaleInfoW,0_2_0056325F
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetLocaleInfoW,0_2_0056D27E
Source: C:\Users\user\Desktop\qd_x86.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0056D354
Source: C:\Users\user\Desktop\qd_x86.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_005313B0 CreateNamedPipeA,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,DisconnectNamedPipe,0_2_005313B0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00536ADF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00536ADF
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00531AD0 GetFileAttributesW,GetModuleHandleA,GetUserNameW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,Sleep,lstrlenA,0_2_00531AD0
Source: C:\Users\user\Desktop\qd_x86.exeCode function: 0_2_00534767 GetCurrentProcessId,GetLastError,KiUserCallbackDispatcher,GetVersionExA,GetWindowsDirectoryW,0_2_00534767
Source: C:\Users\user\Desktop\qd_x86.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		2
Process Injection		2
Process Injection		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		Boot or Logon Initialization Scripts1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory2
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials35
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427912 Sample: qd_x86.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 60 11 Multi AV Scanner detection for submitted file 2->11 13 Machine Learning detection for sample 2->13 6 qd_x86.exe 1 2->6         started        process3 signatures4 15 Check for Windows Defender sandbox 6->15 9 conhost.exe 6->9         started        process5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
qd_x86.exe35%ReversingLabsWin32.Trojan.Generic
qd_x86.exe43%VirustotalBrowse
qd_x86.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1427912
Start date and time:2024-04-18 10:36:10 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:qd_x86.exe
Detection:MAL
Classification:mal60.evad.winEXE@2/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 22
  • Number of non-executed functions: 94
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

\Device\ConDrv

Download File
Process:C:\Users\user\Desktop\qd_x86.exe
File Type:ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):26
Entropy (8bit):3.796217602590056
Encrypted:false
SSDEEP:3:gBM/gOBLy:gROBLy
MD5:773247E31D337AE0E32C10FB98F5DB1C
SHA1:866A0AA4F70B8DEE5DE50C55892F501713315396
SHA-256:19D0FCC438434297DE98B8879DA7A12B8031E02DDBD10F3C3515441362500BCB
SHA-512:D3589C563130679ECB65B93CDA902B51CA7AA467E34CA64C8825AB12C4EE64807B718F1F2130A54E72FEC8568A42188F527868ACB3FBF1EBB991BEF4A8049383
Malicious:false
Reputation:low
Preview:Update is not installed...

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.755937822537242
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:qd_x86.exe
File size:535'040 bytes
MD5:31b1a881401e0ba0cad4c56f1e32c48e
SHA1:19e491a4c69de056c77d05ba671870818d4f7f80
SHA256:7215d9421e0a6d1a7cfde3f6d742670550fed009585ab35b53cbb845f63c5f74
SHA512:459d6e38e633f22877add0b862319aa65484a015225e24cfea64d3bbebcde171d75857c063033035897a1d848b7c87833d0e3581d57558c0663b433db8b0154c
SSDEEP:6144:7TjAuWlcEz3grAQFAaQe0j+TE7xrJmRPnZJUdFwnKjMFtsBzlgnySHpgB:fjAuWlJ0AQqe0j+WuaFMKjMfmSH
TLSH:3BB4AE01B8D08032C57234710279D7798EBEB4700A556ACF57DA1DBBAF70AD0AB2676F
File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........`....A...A...A...@...A...@...A...@...A...@...A...@...A...@...A...@...A...A...A.e.@...A.e.@...A...@...A.e.@...A.e.A...A.e.@...

File Icon

Icon Hash:00928e8e8686b000

Static PE Info

General

Entrypoint:0x40646e
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x65C50FCB [Thu Feb 8 17:30:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:14e3d57d9f86b144f92a9d94ef2c3bb8

Entrypoint Preview

Instruction
call 00007F83B513DDCEh
jmp 00007F83B513D52Ch
int3
int3
int3
int3
int3
int3
int3
int3
jmp 00007F83B513D730h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
jmp 00007F83B513D720h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp dword ptr [004820C8h], 02h
jl 00007F83B513D71Ah
sub esp, 04h
fisttp dword ptr [esp]
pop eax
ret
push ebp
mov ebp, esp
add esp, FFFFFFF0h
and esp, FFFFFFF0h
fld st(0), st(0)
fstp tbyte ptr [esp]
mov eax, dword ptr [esp+04h]
movzx ecx, word ptr [esp+08h]
btr ecx, 0Fh
sbb edx, edx
cmp cx, 3FFFh
jc 00007F83B513D731h
test eax, eax
jns 00007F83B513D748h
cmp cx, 401Eh
jnc 00007F83B513D72Eh
neg cx
add cx, 403Eh
frndint
fstp st(0)
shr eax, cl
xor eax, edx
sub eax, edx
leave
ret
frndint
fstp st(0)
xor eax, eax
leave
ret
jnbe 00007F83B513D723h
test edx, edx
jns 00007F83B513D71Fh
cmp eax, 80000000h
jne 00007F83B513D718h
frndint
fstp st(0)
leave
ret
fcomp dword ptr [0046EA08h]
leave
mov eax, 80000000h
ret
int3
int3
int3
int3
cmp dword ptr [004820C8h], 02h
jl 00007F83B513D750h
fldz
fucomip st(0), st(1)
jp 00007F83B513D73Eh
jnbe 00007F83B513D72Dh
fld dword ptr [0046EA00h]

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x7b5cc0x78.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x1e0.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x850000x2c64.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x79f200x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x79e600x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x680000x1fc.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x660740x66200a9adf9dd81a490863459394fa4e1b411False0.4247269928090575data6.640437903633444IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x680000x141240x14200a4254f98495b7d2d23c15a4c76801a08False0.6468483113354038data6.525832729688649IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x7d0000x6d440x520017bec568cbea1d1694c7b4b4d242ca47False0.48275533536585363data5.041924967241612IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x840000x1e00x20076da06eac51664280ffa175d39a47fb9False0.52734375data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x850000x2c640x2e00171f33b282c7dc8bc7455433ff23cc37False0.7528023097826086data6.568730173178581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_MANIFEST0x840600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
SHELL32.dllCommandLineToArgvW
KERNEL32.dlllstrlenA, GetFileAttributesW, GetModuleHandleA, DisconnectNamedPipe, Sleep, GetLastError, lstrcpyW, lstrcmpW, ConnectNamedPipe, GetNumberFormatA, FindFirstFileW, FindNextFileW, SetFileAttributesW, GetFileAttributesA, MoveFileW, lstrcatA, MultiByteToWideChar, lstrcatW, lstrcpyA, WideCharToMultiByte, HeapCreate, HeapFree, HeapAlloc, HeapDestroy, SetNamedPipeHandleState, CreateNamedPipeA, FlushFileBuffers, LoadLibraryA, GetProcAddress, FreeLibrary, GetSystemTimeAsFileTime, lstrlenW, GetCommandLineW, GetCommandLineA, GetVersionExA, GetSystemInfo, GetCurrentDirectoryW, GetWindowsDirectoryW, GetCurrentProcessId, LocalAlloc, GetCurrentThread, lstrcmpiW, Thread32Next, Thread32First, GetCurrentThreadId, lstrcmpA, SuspendThread, GetExitCodeProcess, CreateFileW, ReadConsoleW, CloseHandle, HeapReAlloc, ReadFile, WriteConsoleW, CallNamedPipeA, InitializeSListHead, HeapSize, SetFilePointerEx, QueryPerformanceCounter, DecodePointer, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, InterlockedPushEntrySList, InterlockedFlushSList, RtlUnwind, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, EncodePointer, RaiseException, ExitProcess, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, GetTempPathW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, OutputDebugStringW, FindClose, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, GetProcessHeap, SetConsoleCtrlHandler, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx
USER32.dllCharUpperBuffA, CharUpperBuffW
ADVAPI32.dllRegDeleteKeyA, GetUserNameW, SetFileSecurityA
ole32.dllCoCreateInstance

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:10:36:55
Start date:18/04/2024
Path:C:\Users\user\Desktop\qd_x86.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\qd_x86.exe"
Imagebase:0x530000
File size:535'040 bytes
MD5 hash:31B1A881401E0BA0CAD4C56F1E32C48E
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:10:36:55
Start date:18/04/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff6d64d0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:29.9%
    Total number of Nodes:668
    Total number of Limit Nodes:23
    execution_graph 50001 536285 50028 536b2c 50001->50028 50003 53628a __FrameHandler3::FrameUnwindToState 50032 5368e1 50003->50032 50005 5362a2 50006 5363fb 50005->50006 50015 5362cc ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 50005->50015 50247 536c0a IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter CallUnexpected 50006->50247 50008 536402 50240 541f18 50008->50240 50012 5362eb 50013 536410 50014 53636c 50043 55f21c 50014->50043 50015->50012 50015->50014 50243 541ef2 44 API calls 3 library calls 50015->50243 50018 536372 50047 531ad0 50018->50047 50020 536389 50244 536d5e GetModuleHandleW 50020->50244 50022 536393 50022->50008 50023 536397 50022->50023 50024 5363a0 50023->50024 50245 541ec6 21 API calls CallUnexpected 50023->50245 50246 536a52 80 API calls ___scrt_uninitialize_crt 50024->50246 50027 5363a9 50027->50012 50029 536b42 50028->50029 50031 536b4b 50029->50031 50249 536adf GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 50029->50249 50031->50003 50033 5368ea 50032->50033 50250 537109 IsProcessorFeaturePresent 50033->50250 50035 5368f6 50251 5377ae 10 API calls 2 library calls 50035->50251 50037 5368fb 50038 5368ff 50037->50038 50252 561bbb 50037->50252 50038->50005 50041 536916 50041->50005 50044 55f225 50043->50044 50045 55f22a 50043->50045 50265 55ea03 47 API calls 50044->50265 50045->50018 50048 531b05 CallUnexpected 50047->50048 50266 53328f HeapCreate 50048->50266 50050 531b52 50267 532e3b 50050->50267 50057 531b8d 50058 531b95 GetModuleHandleA 50057->50058 50288 534767 50058->50288 50061 534dfa 8 API calls 50062 531bba 50061->50062 50331 532e24 GetFileAttributesW 50062->50331 50064 531bc5 50147 531b7e 50064->50147 50332 5333e1 50064->50332 50067 531c30 GetUserNameW 50371 532bc4 50067->50371 50068 531c19 50367 531140 50068->50367 50073 531c69 50382 5339a2 57 API calls 50073->50382 50075 532052 50078 531140 74 API calls 50075->50078 50076 531ca0 lstrcmpW 50077 531ced lstrcmpW 50076->50077 50081 531c7d 50076->50081 50080 531d17 lstrcmpW 50077->50080 50077->50081 50082 53205c 50078->50082 50080->50081 50084 531d41 lstrcmpW 50080->50084 50081->50075 50081->50076 50383 53308f WideCharToMultiByte 50081->50383 50083 531140 74 API calls 50082->50083 50085 53206d 50083->50085 50084->50081 50086 531d6b lstrcmpW 50084->50086 50087 532076 50085->50087 50088 5320ca 50085->50088 50089 531dd2 lstrcmpW 50086->50089 50114 531d84 50086->50114 50391 533b5c 59 API calls 50087->50391 50090 5320d0 50088->50090 50091 532126 50088->50091 50092 531e88 lstrcmpW 50089->50092 50093 531def 50089->50093 50392 533b77 59 API calls 50090->50392 50095 532181 50091->50095 50096 53212c 50091->50096 50097 531ea1 50092->50097 50098 531efc lstrcmpW 50092->50098 50100 531e2a lstrcpyW 50093->50100 50385 531540 74 API calls 50093->50385 50108 53218b 50095->50108 50109 53224f 50095->50109 50393 533a80 58 API calls 50096->50393 50104 531ed1 lstrcpyW 50097->50104 50387 531540 74 API calls 50097->50387 50110 531f15 lstrcmpW 50098->50110 50111 531f2e 50098->50111 50112 531e67 50100->50112 50113 531e4d 50100->50113 50101 53207b 50106 532084 50101->50106 50107 5320b8 50101->50107 50102 531db5 50102->50089 50104->50098 50105 5320d5 50124 532114 50105->50124 50125 5320de 50105->50125 50119 531140 74 API calls 50106->50119 50122 531140 74 API calls 50107->50122 50394 533a80 58 API calls 50108->50394 50117 532259 50109->50117 50118 532438 50109->50118 50110->50111 50121 531f3f lstrcmpW 50110->50121 50111->50121 50112->50092 50386 53308f WideCharToMultiByte 50113->50386 50114->50102 50384 53308f WideCharToMultiByte 50114->50384 50115 532151 50128 532158 50115->50128 50129 53216f 50115->50129 50131 531140 74 API calls 50117->50131 50137 532448 50118->50137 50138 53243e 50118->50138 50119->50147 50133 531f69 lstrcmpW 50121->50133 50134 531f58 50121->50134 50122->50147 50139 531140 74 API calls 50124->50139 50135 531140 74 API calls 50125->50135 50140 531140 74 API calls 50128->50140 50142 531140 74 API calls 50129->50142 50130 531ec7 50141 541f18 21 API calls 50130->50141 50171 532270 UnDecorator::getSymbolName 50131->50171 50132 5321b0 50143 5321b7 50132->50143 50144 5321c6 50132->50144 50145 531f82 50133->50145 50146 531fae lstrcmpW 50133->50146 50134->50133 50135->50147 50136 531e20 50148 541f18 21 API calls 50136->50148 50150 532452 50137->50150 50151 5324e9 50137->50151 50400 5313b0 9 API calls 50138->50400 50139->50147 50140->50147 50141->50104 50142->50147 50152 531140 74 API calls 50143->50152 50153 531140 74 API calls 50144->50153 50388 533020 HeapAlloc 50145->50388 50157 531ff0 lstrcmpW 50146->50157 50158 531fc7 50146->50158 50147->50020 50148->50100 50176 532466 50150->50176 50180 53249c 50150->50180 50155 5324ef 50151->50155 50156 53253c 50151->50156 50220 5321c1 50152->50220 50191 5321d0 50153->50191 50410 5337ea HeapAlloc HeapFree lstrlenW 50155->50410 50160 532582 50156->50160 50161 532542 50156->50161 50165 532009 50157->50165 50166 53202c 50157->50166 50389 533020 HeapAlloc 50158->50389 50159 532238 50159->50147 50169 5325f0 50160->50169 50170 532588 50160->50170 50168 531140 74 API calls 50161->50168 50162 531f98 50162->50146 50390 531540 74 API calls 50165->50390 50167 531140 74 API calls 50166->50167 50167->50147 50177 532560 50168->50177 50184 5325f6 50169->50184 50185 5325fd 50169->50185 50412 531320 84 API calls 50170->50412 50235 532325 50171->50235 50397 531240 48 API calls 2 library calls 50171->50397 50172 5324fd 50182 532506 50172->50182 50183 532515 50172->50183 50173 531fdd 50173->50157 50174 5323b2 lstrlenA 50399 533a80 58 API calls 50174->50399 50401 532bda 50176->50401 50411 531600 77 API calls __vwscanf_l 50177->50411 50208 532bda 8 API calls 50180->50208 50192 531140 74 API calls 50182->50192 50193 531140 74 API calls 50183->50193 50414 531320 84 API calls 50184->50414 50415 531320 84 API calls 50185->50415 50188 53222a 50197 53222e 50188->50197 50198 53223d 50188->50198 50190 53258d 50190->50147 50413 531790 80 API calls 50190->50413 50199 5321fa 50191->50199 50210 532218 50191->50210 50395 531050 58 API calls 50191->50395 50192->50147 50200 532523 50193->50200 50195 532343 50201 532394 50195->50201 50212 532358 50195->50212 50202 531140 74 API calls 50197->50202 50203 531140 74 API calls 50198->50203 50209 531140 74 API calls 50199->50209 50211 531140 74 API calls 50200->50211 50205 531140 74 API calls 50201->50205 50202->50159 50203->50159 50205->50147 50207 5323e3 50207->50147 50218 532420 50207->50218 50219 53240b 50207->50219 50213 53249a 50208->50213 50215 532204 Sleep 50209->50215 50216 531140 74 API calls 50210->50216 50211->50147 50221 531140 74 API calls 50212->50221 50217 531140 74 API calls 50213->50217 50214 53259b 50222 531140 74 API calls 50214->50222 50231 5325a9 50214->50231 50215->50191 50216->50220 50217->50147 50224 531140 74 API calls 50218->50224 50223 531140 74 API calls 50219->50223 50396 5319a0 RegDeleteKeyA HeapAlloc 50220->50396 50226 53237b 50221->50226 50222->50231 50223->50147 50224->50147 50229 531140 74 API calls 50226->50229 50227 532602 50227->50147 50230 532bda 8 API calls 50227->50230 50228 532311 50232 531140 74 API calls 50228->50232 50233 53238f 50229->50233 50234 532634 50230->50234 50237 532bda 8 API calls 50231->50237 50232->50235 50233->50174 50236 531140 74 API calls 50234->50236 50235->50174 50398 55dcd0 46 API calls 2 library calls 50235->50398 50236->50147 50238 5325da 50237->50238 50239 531140 74 API calls 50238->50239 50239->50147 50810 541ce4 50240->50810 50243->50014 50244->50022 50245->50024 50246->50027 50247->50008 50248 541ed5 21 API calls CallUnexpected 50248->50013 50249->50031 50250->50035 50251->50037 50256 56d60b 50252->50256 50255 5377e0 7 API calls 2 library calls 50255->50038 50257 56d61b 50256->50257 50258 536908 50256->50258 50257->50258 50260 5640eb 50257->50260 50258->50041 50258->50255 50261 5640f2 50260->50261 50262 564135 GetStdHandle 50261->50262 50263 564197 50261->50263 50264 564148 GetFileType 50261->50264 50262->50261 50263->50257 50264->50261 50265->50045 50266->50050 50416 5332a4 50267->50416 50269 531b57 50270 531a10 50269->50270 50419 533fc8 50270->50419 50273 533fc8 5 API calls 50274 531a3d 50273->50274 50275 533fc8 5 API calls 50274->50275 50276 531a56 50275->50276 50277 533fc8 5 API calls 50276->50277 50278 531a6f 50277->50278 50279 533fc8 5 API calls 50278->50279 50280 531a88 50279->50280 50281 533fc8 5 API calls 50280->50281 50282 531aa1 50281->50282 50283 533fc8 5 API calls 50282->50283 50284 531aba 50283->50284 50285 534dfa 50284->50285 50437 53288c 50285->50437 50289 5332a4 HeapAlloc 50288->50289 50290 534781 50289->50290 50291 531ba8 50290->50291 50292 53478b GetCurrentProcessId 50290->50292 50291->50061 50293 5347a3 50292->50293 50473 53584e 50293->50473 50295 5347f6 50296 534807 50295->50296 50478 5358a1 50295->50478 50487 535e20 50296->50487 50301 53483c 50302 534892 KiUserCallbackDispatcher 50301->50302 50303 53488c GetLastError 50301->50303 50304 5348cc 50302->50304 50305 5348b8 50302->50305 50303->50302 50304->50305 50506 534735 6 API calls 50304->50506 50307 532bc4 58 API calls 50305->50307 50308 5349a5 50307->50308 50309 532a5d 8 API calls 50308->50309 50310 5349bc 50309->50310 50496 5330bf 50310->50496 50312 5349c9 50313 532bda 8 API calls 50312->50313 50314 5349f7 50313->50314 50500 5359ae 50314->50500 50316 534a09 50317 534a1f GetVersionExA 50316->50317 50318 534a2e 50317->50318 50507 534540 GetSystemInfo 50318->50507 50320 534a3b GetWindowsDirectoryW 50321 534dfa 8 API calls 50320->50321 50322 534a5e 50321->50322 50324 534acb 50322->50324 50508 533d3c 50322->50508 50512 535e7f lstrlenW 50324->50512 50326 534b95 50513 532f44 lstrlenW 50326->50513 50328 534bab 50329 534bb8 50328->50329 50514 5341c9 7 API calls 50328->50514 50329->50291 50331->50064 50333 5332a4 HeapAlloc 50332->50333 50334 53340b 50333->50334 50356 531c08 50334->50356 50585 5329d6 50334->50585 50336 53342d 50593 534ded 50336->50593 50339 533571 50340 533583 50339->50340 50341 5335c2 50339->50341 50343 53356f 50340->50343 50605 5330e7 lstrcatA HeapAlloc 50340->50605 50606 5330e7 lstrcatA HeapAlloc 50341->50606 50346 5335e2 RegOpenKeyExA 50343->50346 50344 533465 50344->50343 50596 5330e7 lstrcatA HeapAlloc 50344->50596 50350 5335fc 50346->50350 50348 5332b9 HeapFree 50349 533642 50348->50349 50353 5332b9 HeapFree 50349->50353 50350->50348 50350->50349 50351 533499 50351->50350 50352 534dfa 8 API calls 50351->50352 50355 53352c 50351->50355 50354 5334cb 50352->50354 50353->50356 50597 533138 50354->50597 50604 5330e7 lstrcatA HeapAlloc 50355->50604 50356->50067 50356->50068 50359 5334dd 50603 533055 MultiByteToWideChar HeapAlloc 50359->50603 50360 533550 50362 5332b9 HeapFree 50360->50362 50362->50343 50363 5334f5 50364 5332b9 HeapFree 50363->50364 50365 533521 50364->50365 50366 5332b9 HeapFree 50365->50366 50366->50355 50368 531159 __vfwprintf_l __vwscanf_l 50367->50368 50620 55be6d 50368->50620 50797 532ae0 50371->50797 50374 532a5d 50375 532a78 50374->50375 50376 534ded 7 API calls 50375->50376 50377 532a82 50376->50377 50378 535fd3 lstrlenW 50377->50378 50380 532a97 50378->50380 50379 532acd 50379->50073 50380->50379 50381 535fd3 lstrlenW 50380->50381 50381->50380 50382->50081 50383->50081 50384->50102 50385->50136 50386->50112 50387->50130 50388->50162 50389->50173 50390->50147 50391->50101 50392->50105 50393->50115 50394->50132 50395->50191 50396->50188 50397->50228 50398->50195 50399->50207 50400->50159 50402 534ded 7 API calls 50401->50402 50403 532bf5 50402->50403 50404 534ded 7 API calls 50403->50404 50405 532c04 50404->50405 50406 535fd3 lstrlenW 50405->50406 50407 532c55 50405->50407 50409 532c80 50405->50409 50406->50405 50408 535fd3 lstrlenW 50407->50408 50407->50409 50408->50407 50409->50213 50410->50172 50411->50147 50412->50190 50413->50214 50414->50147 50415->50227 50417 5332ae HeapAlloc 50416->50417 50418 5332ad 50416->50418 50417->50269 50418->50269 50420 533ff3 50419->50420 50421 534023 LoadLibraryA 50420->50421 50422 53401b GetModuleHandleA 50420->50422 50423 53402a 50421->50423 50422->50423 50425 531a24 50423->50425 50426 533f7d 50423->50426 50425->50273 50427 5332a4 HeapAlloc 50426->50427 50429 533f90 50427->50429 50428 533fbe 50428->50425 50429->50428 50431 533e91 50429->50431 50432 533eaa 50431->50432 50433 533f05 50431->50433 50432->50433 50434 533f5d LoadLibraryA 50432->50434 50433->50429 50434->50433 50435 533f6b GetProcAddress 50434->50435 50435->50433 50436 533f77 50435->50436 50436->50433 50448 535751 50437->50448 50439 531b6c GetFileAttributesW 50439->50057 50439->50147 50441 5328f9 GetNumberFormatA 50442 53291b 50441->50442 50442->50442 50443 532973 GetNumberFormatA 50442->50443 50444 53293c 50442->50444 50446 532948 50443->50446 50445 5332a4 HeapAlloc 50444->50445 50445->50446 50451 5332b9 50446->50451 50455 535659 50448->50455 50452 5332fb 50451->50452 50453 5332bf 50451->50453 50452->50439 50453->50452 50454 5332eb HeapFree 50453->50454 50454->50452 50456 53567f 50455->50456 50457 535683 GetLastError 50456->50457 50458 535690 50456->50458 50461 5328b8 50457->50461 50468 53559f 50458->50468 50461->50439 50461->50441 50462 5332a4 HeapAlloc 50463 5356c4 50462->50463 50463->50461 50472 535633 GetLastError 50463->50472 50465 5356d7 50465->50461 50466 535705 GetLastError 50465->50466 50467 5332b9 HeapFree 50466->50467 50467->50461 50471 5355c8 50468->50471 50469 535626 GetLastError 50470 535616 50469->50470 50470->50461 50470->50462 50471->50469 50471->50470 50472->50465 50474 535868 50473->50474 50475 53586c 50474->50475 50515 535837 50474->50515 50475->50295 50527 53576a GetCurrentThread 50478->50527 50481 535956 50481->50296 50482 5357c7 5 API calls 50486 5358d5 FindCloseChangeNotification 50482->50486 50484 53594c 50485 5332b9 HeapFree 50484->50485 50485->50481 50486->50481 50486->50484 50488 535e3f 50487->50488 50490 534831 50488->50490 50531 533020 HeapAlloc 50488->50531 50491 535de5 50490->50491 50492 535dfc 50491->50492 50493 535e1c 50492->50493 50532 533020 HeapAlloc 50492->50532 50493->50301 50495 535e09 50495->50301 50497 5330c6 50496->50497 50498 5330cb MultiByteToWideChar 50496->50498 50497->50312 50499 5330df 50498->50499 50499->50312 50501 5359c9 50500->50501 50502 5357c7 5 API calls 50501->50502 50503 5359cd 50501->50503 50505 5359e1 50502->50505 50503->50316 50504 5332b9 HeapFree 50504->50503 50505->50503 50505->50504 50506->50305 50507->50320 50509 533d4f 50508->50509 50533 57c360 50509->50533 50512->50326 50513->50328 50514->50329 50518 5357c7 GetTokenInformation 50515->50518 50519 5357ec GetLastError 50518->50519 50526 535808 50518->50526 50520 5357f7 50519->50520 50519->50526 50521 5332a4 HeapAlloc 50520->50521 50522 5357ff 50521->50522 50523 53580c GetTokenInformation 50522->50523 50522->50526 50524 535824 50523->50524 50523->50526 50525 5332b9 HeapFree 50524->50525 50525->50526 50526->50295 50528 53578a 50527->50528 50529 53578e GetLastError 50528->50529 50530 53579b 50528->50530 50529->50530 50530->50481 50530->50482 50531->50490 50532->50495 50536 57c2c5 50533->50536 50537 57c2dc __vfwprintf_l 50536->50537 50540 55c390 50537->50540 50541 55c3a4 __vfwprintf_l 50540->50541 50546 54337c 50541->50546 50547 5433a8 50546->50547 50548 5433cb 50546->50548 50563 56244c 29 API calls __vfwprintf_l 50547->50563 50548->50547 50551 5433d3 __vswprintf_c_l 50548->50551 50550 5433c0 50568 5372e9 50550->50568 50564 550be0 47 API calls 2 library calls 50551->50564 50553 5434fd 50557 54d510 50553->50557 50555 543454 50565 54d555 50555->50565 50558 54d51c 50557->50558 50559 54d533 50558->50559 50583 54e210 44 API calls 2 library calls 50558->50583 50560 533d5d 50559->50560 50584 54e210 44 API calls 2 library calls 50559->50584 50560->50324 50563->50550 50564->50555 50575 56272c 50565->50575 50569 5372f2 IsProcessorFeaturePresent 50568->50569 50570 5372f1 50568->50570 50572 537334 50569->50572 50570->50553 50582 5372f7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 50572->50582 50574 537417 50574->50553 50576 562737 HeapFree 50575->50576 50580 54d565 50575->50580 50577 56274c GetLastError 50576->50577 50576->50580 50578 562759 __dosmaperr 50577->50578 50581 56262a 14 API calls __strnicoll 50578->50581 50580->50550 50581->50580 50582->50574 50583->50559 50584->50560 50586 5329ef 50585->50586 50607 535fd3 50586->50607 50588 5329ff 50589 534ded 7 API calls 50588->50589 50590 532a0e 50589->50590 50591 532a4a 50590->50591 50592 535fd3 lstrlenW 50590->50592 50591->50336 50592->50590 50611 5327ae 50593->50611 50596->50351 50599 53314a 50597->50599 50598 5332a4 HeapAlloc 50600 533168 50598->50600 50599->50598 50601 533184 50600->50601 50602 533173 lstrcatW 50600->50602 50601->50359 50602->50600 50603->50363 50604->50360 50605->50343 50606->50343 50608 535fe3 50607->50608 50609 536016 lstrlenW 50608->50609 50610 536033 50609->50610 50610->50588 50612 535751 6 API calls 50611->50612 50614 5327d8 50612->50614 50613 532817 GetNumberFormatA 50619 532834 50613->50619 50614->50613 50615 532840 50614->50615 50618 5327e4 50614->50618 50616 5332a4 HeapAlloc 50615->50616 50616->50619 50617 5332b9 HeapFree 50617->50618 50618->50339 50618->50344 50619->50617 50621 55be81 __vfwprintf_l 50620->50621 50622 55bea3 50621->50622 50624 55beca 50621->50624 50637 56244c 29 API calls __vfwprintf_l 50622->50637 50629 5424be 50624->50629 50625 55bebe 50627 54d510 __vfwprintf_l 44 API calls 50625->50627 50628 53117e 50627->50628 50628->50147 50630 5424ca __FrameHandler3::FrameUnwindToState 50629->50630 50638 54210d EnterCriticalSection 50630->50638 50632 5424d8 50639 54d764 50632->50639 50636 5424f6 50636->50625 50637->50625 50638->50632 50651 5664d7 50639->50651 50641 54d78b __vfwprintf_l 50658 54f550 50641->50658 50644 54d555 __vswprintf_c_l 14 API calls 50645 54d7df 50644->50645 50673 566582 50645->50673 50648 5372e9 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50649 5424e5 50648->50649 50650 54250d LeaveCriticalSection __vfwprintf_l 50649->50650 50650->50636 50677 566499 50651->50677 50653 5664e8 __vwscanf_l 50654 56654a 50653->50654 50684 564227 50653->50684 50654->50641 50657 56272c __freea 14 API calls 50657->50654 50714 55a30a 50658->50714 50661 54f576 50720 56244c 29 API calls __vfwprintf_l 50661->50720 50663 54d7d2 50663->50644 50664 54f59e __vfwprintf_l __vswprintf_c_l __vfwprintf_l 50664->50663 50669 54f792 50664->50669 50721 559ed0 44 API calls 2 library calls 50664->50721 50722 54eb00 44 API calls __vswprintf_c_l 50664->50722 50723 5529ce 48 API calls 4 library calls 50664->50723 50724 553f01 48 API calls 4 library calls 50664->50724 50725 56244c 29 API calls __vfwprintf_l 50669->50725 50671 54f7ac 50726 56244c 29 API calls __vfwprintf_l 50671->50726 50674 54d7ec 50673->50674 50675 56658d 50673->50675 50674->50648 50675->50674 50729 563e88 50675->50729 50678 5664a5 __vwscanf_l 50677->50678 50679 5664cf 50678->50679 50691 565f71 50678->50691 50679->50653 50683 5664c6 50683->50653 50685 564265 50684->50685 50689 564235 __fpreset 50684->50689 50713 56262a 14 API calls __strnicoll 50685->50713 50687 564250 RtlAllocateHeap 50688 564263 50687->50688 50687->50689 50688->50657 50689->50685 50689->50687 50712 56d71f EnterCriticalSection LeaveCriticalSection __fpreset 50689->50712 50692 565f92 50691->50692 50693 565f7d 50691->50693 50698 574700 50692->50698 50707 56262a 14 API calls __strnicoll 50693->50707 50695 565f82 50708 5624c9 44 API calls __strnicoll 50695->50708 50699 57470d 50698->50699 50700 57471a 50698->50700 50709 56262a 14 API calls __strnicoll 50699->50709 50704 574726 50700->50704 50710 56262a 14 API calls __strnicoll 50700->50710 50703 574712 50703->50683 50704->50683 50705 574747 50711 5624c9 44 API calls __strnicoll 50705->50711 50707->50695 50709->50703 50710->50705 50712->50689 50713->50688 50715 55a315 50714->50715 50716 55a337 50714->50716 50727 56244c 29 API calls __vfwprintf_l 50715->50727 50728 55af23 44 API calls 2 library calls 50716->50728 50719 54f56b 50719->50661 50719->50663 50719->50664 50720->50663 50721->50664 50722->50664 50723->50664 50724->50664 50725->50671 50726->50663 50727->50719 50728->50719 50730 563ea1 50729->50730 50734 563ec8 50729->50734 50731 565f71 __vfwprintf_l 44 API calls 50730->50731 50730->50734 50732 563ebd 50731->50732 50735 56f9b1 50732->50735 50734->50674 50737 56f9bd __FrameHandler3::FrameUnwindToState 50735->50737 50736 56f9c5 50736->50734 50737->50736 50738 56f9fe 50737->50738 50739 56fa44 50737->50739 50775 56244c 29 API calls __vfwprintf_l 50738->50775 50746 56a524 EnterCriticalSection 50739->50746 50742 56fa4a 50743 56fa68 50742->50743 50747 56fac2 50742->50747 50776 56faba LeaveCriticalSection __vfwprintf_l 50743->50776 50746->50742 50748 56faea 50747->50748 50772 56fb0d __vfwprintf_l 50747->50772 50749 56faee 50748->50749 50751 56fb49 50748->50751 50791 56244c 29 API calls __vfwprintf_l 50749->50791 50752 56fb67 50751->50752 50792 576f5f 46 API calls __vfwprintf_l 50751->50792 50777 56f5f6 50752->50777 50756 56fbc6 50760 56fc2f WriteFile 50756->50760 50761 56fbda 50756->50761 50757 56fb7f 50758 56fb87 50757->50758 50759 56fbae 50757->50759 50758->50772 50793 56f58e 6 API calls __vfwprintf_l 50758->50793 50794 56f1c7 50 API calls 5 library calls 50759->50794 50765 56fc51 GetLastError 50760->50765 50774 56fbc1 50760->50774 50762 56fbe2 50761->50762 50763 56fc1b 50761->50763 50766 56fc07 50762->50766 50767 56fbe7 50762->50767 50784 56f673 50763->50784 50765->50774 50796 56f837 8 API calls 3 library calls 50766->50796 50770 56fbf0 50767->50770 50767->50772 50795 56f74e 7 API calls 2 library calls 50770->50795 50772->50743 50774->50772 50775->50736 50776->50736 50778 574700 __vfwprintf_l 44 API calls 50777->50778 50781 56f608 50778->50781 50779 56f66c 50779->50756 50779->50757 50780 56f636 50780->50779 50783 56f650 GetConsoleMode 50780->50783 50781->50779 50781->50780 50782 559ed0 UnDecorator::getSymbolName 44 API calls 50781->50782 50782->50780 50783->50779 50789 56f682 __vfwprintf_l 50784->50789 50785 56f733 50786 5372e9 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50785->50786 50787 56f74c 50786->50787 50787->50772 50788 56f6f2 WriteFile 50788->50789 50790 56f735 GetLastError 50788->50790 50789->50785 50789->50788 50790->50785 50791->50772 50792->50752 50793->50772 50794->50774 50795->50772 50796->50774 50798 532b12 50797->50798 50799 534dfa 8 API calls 50798->50799 50800 532b1c GetVolumeInformationW 50799->50800 50801 532b40 50800->50801 50802 533d3c 47 API calls 50801->50802 50803 532b5e 50802->50803 50804 533138 2 API calls 50803->50804 50805 532b77 50804->50805 50806 532b86 CharUpperBuffW 50805->50806 50807 532b9d 50806->50807 50808 5332b9 HeapFree 50807->50808 50809 531c53 50808->50809 50809->50374 50811 541d11 50810->50811 50812 541d23 50810->50812 50837 541db5 GetModuleHandleW 50811->50837 50822 541a2a 50812->50822 50816 541d16 50816->50812 50838 541e10 GetModuleHandleExW 50816->50838 50817 536408 50817->50248 50821 541d75 50823 541a36 __FrameHandler3::FrameUnwindToState 50822->50823 50844 561eca EnterCriticalSection 50823->50844 50825 541a40 50845 541b9f 50825->50845 50827 541a4d 50849 541a6b 50827->50849 50830 541d7b 50854 541df7 50830->50854 50832 541d85 50833 541d99 50832->50833 50834 541d89 GetCurrentProcess TerminateProcess 50832->50834 50835 541e10 CallUnexpected 3 API calls 50833->50835 50834->50833 50836 541da1 ExitProcess 50835->50836 50837->50816 50839 541e70 50838->50839 50840 541e4f GetProcAddress 50838->50840 50842 541e76 FreeLibrary 50839->50842 50843 541d22 50839->50843 50840->50839 50841 541e63 50840->50841 50841->50839 50842->50843 50843->50812 50844->50825 50846 541bab __FrameHandler3::FrameUnwindToState CallUnexpected 50845->50846 50848 541c0f CallUnexpected 50846->50848 50852 5619a7 14 API calls 3 library calls 50846->50852 50848->50827 50853 561f12 LeaveCriticalSection 50849->50853 50851 541a59 50851->50817 50851->50830 50852->50848 50853->50851 50857 562176 50854->50857 50856 541dfc CallUnexpected 50856->50832 50858 562185 CallUnexpected 50857->50858 50859 562192 50858->50859 50861 562f05 50858->50861 50859->50856 50864 562da3 50861->50864 50865 562dd3 50864->50865 50869 562dcf 50864->50869 50865->50869 50871 562cd8 50865->50871 50868 562ded GetProcAddress 50868->50869 50870 562dfd __fpreset 50868->50870 50869->50859 50870->50869 50877 562ce9 ___vcrt_FlsFree 50871->50877 50872 562d7f 50872->50868 50872->50869 50873 562d07 LoadLibraryExW 50874 562d86 50873->50874 50875 562d22 GetLastError 50873->50875 50874->50872 50876 562d98 FreeLibrary 50874->50876 50875->50877 50876->50872 50877->50872 50877->50873 50878 562d55 LoadLibraryExW 50877->50878 50878->50874 50878->50877

    Executed Functions

    Function 00531AD0 Relevance: 93.5, APIs: 20, Strings: 33, Instructions: 791COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053328F: HeapCreate.KERNELBASE(00000000,00096000,00000000,00531B52), ref: 00533298
    • GetFileAttributesW.KERNELBASE(?), ref: 00531B73
    • GetModuleHandleA.KERNEL32(00000000,00000001), ref: 00531B99
      • Part of subcall function 00534767: GetCurrentProcessId.KERNEL32 ref: 0053478C
      • Part of subcall function 00534767: GetLastError.KERNEL32 ref: 0053488C
      • Part of subcall function 00534767: KiUserCallbackDispatcher.NTDLL(00001000), ref: 0053489C
      • Part of subcall function 00532E24: GetFileAttributesW.KERNELBASE(?,00531BC5), ref: 00532E2A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: AttributesFile$CallbackCreateCurrentDispatcherErrorHandleHeapLastModuleProcessUser
    • String ID: Done.$!$%s$%u%s$-dm$-du$Action: %u$Command failed: ret=%d$Config clean failed.$Config cleaned ok.$DecryptSeclogFile() failed.$ERROR: SendPipeMsgClient2() failed, may be Update is not running$ERROR: Unknown command: '%s'$ERROR: unknown argument: %S$GetStager1FileMainDecrypted() failed.$GetStager1FileMainDecrypted() ok: dwStager1Type=%u dwFileSize=%u$GetStager1FileUpdateDecrypted() failed.$GetStager1FileUpdateDecrypted() ok: dwStager1Type=%u dwFileSize=%u$QPCMD_BOT_SHUTDOWN sent ok.$Stopping...$Success: ret=%d$Update alias: %s$Update is not installed.$Use numeric command$alias: %s$cc_main$dwDecryptLen=%u$nick: %s$stager_1_update.dll$szArgsNew='%s'$szPipeName='%s'$wszSeclogFile='%S' nick='%s'${-} DecryptConfig() failed
    • API String ID: 2174859914-2758152920
    • Opcode ID: fba7318d7c68577da3b738c9c6cc2c24d3f44d9b20bdb9f56b2615324cf713d3
    • Instruction ID: 36eca5335f985de983ae965e2abdafafd4e3806d71e346bbdad317322afaf443
    • Opcode Fuzzy Hash: fba7318d7c68577da3b738c9c6cc2c24d3f44d9b20bdb9f56b2615324cf713d3
    • Instruction Fuzzy Hash: 3362D570E00609EBDB14DFA0DC56BEE7BB5BF94304F108469E9066B281EB71AF54CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00534767 Relevance: 17.8, APIs: 5, Strings: 5, Instructions: 295COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentProcessId.KERNEL32 ref: 0053478C
    • GetLastError.KERNEL32 ref: 0053488C
    • KiUserCallbackDispatcher.NTDLL(00001000), ref: 0053489C
    • GetVersionExA.KERNEL32(00000000), ref: 00534A23
      • Part of subcall function 005358A1: FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,00001644), ref: 00535944
    • GetWindowsDirectoryW.KERNEL32(00001020,00000104), ref: 00534A4E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: CallbackChangeCloseCurrentDirectoryDispatcherErrorFindLastNotificationProcessUserVersionWindows
    • String ID: %s\%s$SystemDrive$TEMP$TEMP$USERPROFILE
    • API String ID: 1534145538-2706916422
    • Opcode ID: 831e552cbe4c95199ab1a12135dec9e422637e15580aa2326cd468c923f25e07
    • Instruction ID: 89da2cfc78f338ae9d0915520819cb317139396196f169c0a00754f47f14e96e
    • Opcode Fuzzy Hash: 831e552cbe4c95199ab1a12135dec9e422637e15580aa2326cd468c923f25e07
    • Instruction Fuzzy Hash: 1EC14075700A06AFD708DF74C859BEABBE8BF49300F004669F51A97251EB70BA48CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00533E91 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 537 533e91-533ea8 538 533f05 537->538 539 533eaa-533ed2 537->539 540 533f07-533f0b 538->540 539->538 541 533ed4-533ef7 call 5351ad call 534bc4 539->541 546 533ef9-533f03 541->546 547 533f0c-533f23 541->547 546->538 546->541 548 533f25-533f2d 547->548 549 533f79-533f7b 547->549 548->549 550 533f2f 548->550 549->540 551 533f31-533f37 550->551 552 533f47-533f58 551->552 553 533f39-533f3b 551->553 555 533f5a-533f5b 552->555 556 533f5d-533f69 LoadLibraryA 552->556 553->552 554 533f3d-533f45 553->554 554->551 554->552 555->556 556->538 557 533f6b-533f75 GetProcAddress 556->557 557->538 558 533f77 557->558 558->540
    APIs
    • LoadLibraryA.KERNELBASE(.dll,?,?,00000000), ref: 00533F61
    • GetProcAddress.KERNEL32(00000000,?), ref: 00533F6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: AddressLibraryLoadProc
    • String ID: .dll$:@S
    • API String ID: 2574300362-3513026034
    • Opcode ID: 175a492dd3173e2c968ab2489b649ad1e8c4a6e38a9da84c0b2ac604f246f8b2
    • Instruction ID: ec5e72d34b132597e6ed32e47adf85cd04cec2ae7ba0d2eb7cf98ce2be9a3004
    • Opcode Fuzzy Hash: 175a492dd3173e2c968ab2489b649ad1e8c4a6e38a9da84c0b2ac604f246f8b2
    • Instruction Fuzzy Hash: 4231AC71E001559BCB24CFADC884AAEBFF5BF44304F2844A9E845E7251DB34DA91CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00562CD8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 416 562cd8-562ce4 417 562d76-562d79 416->417 418 562d7f 417->418 419 562ce9-562cfa 417->419 420 562d81-562d85 418->420 421 562d07-562d20 LoadLibraryExW 419->421 422 562cfc-562cff 419->422 425 562d86-562d96 421->425 426 562d22-562d2b GetLastError 421->426 423 562d05 422->423 424 562d9f-562da1 422->424 428 562d73 423->428 424->420 425->424 427 562d98-562d99 FreeLibrary 425->427 429 562d64-562d71 426->429 430 562d2d-562d3f call 561e4f 426->430 427->424 428->417 429->428 430->429 433 562d41-562d53 call 561e4f 430->433 433->429 436 562d55-562d62 LoadLibraryExW 433->436 436->425 436->429
    APIs
    • FreeLibrary.KERNEL32(00000000,?,00562DE7,0054D546,?,00000000,?,00000000,?,005631AE,00000022,FlsSetValue,005A0AC4,005A0ACC,?), ref: 00562D99
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FreeLibrary
    • String ID: J$V$api-ms-$ext-ms-
    • API String ID: 3664257935-1695487325
    • Opcode ID: c67369c6dcdc5bcba4ec7415638b23f46b6dd4b1ec3378001b7d14188c84fe56
    • Instruction ID: 8968c3ed15caa317d7e039f8f48a6ce17a2238fa07443e34e0ec079fd5ea94ce
    • Opcode Fuzzy Hash: c67369c6dcdc5bcba4ec7415638b23f46b6dd4b1ec3378001b7d14188c84fe56
    • Instruction Fuzzy Hash: 96210A31A01A11ABC7719B64DC49A6A3F78BF52770F150610FD05E7290DB34ED06D6E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00536285 Relevance: 7.6, APIs: 5, Instructions: 119COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ___security_init_cookie.LIBCMT ref: 00536285
      • Part of subcall function 00536B2C: ___get_entropy.LIBCMT ref: 00536B46
    • ___scrt_release_startup_lock.LIBCMT ref: 00536321
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 00536335
    • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0053635B
    • ___scrt_uninitialize_crt.LIBCMT ref: 005363A4
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
    • String ID:
    • API String ID: 2539496024-0
    • Opcode ID: ed47d9643f973c715c914974b0671e0ca9f52a0b71409e4b04e37f7e695df511
    • Instruction ID: 7c2327671b809d8cedbe60e4f292ad3a62a38372171931f1cea714e4b4e37d92
    • Opcode Fuzzy Hash: ed47d9643f973c715c914974b0671e0ca9f52a0b71409e4b04e37f7e695df511
    • Instruction Fuzzy Hash: 67314836544603BACF217B749C1B7AE7FA0BFD2725F24882EF441AB1D2DE3188459725
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053288C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 505 53288c-5328c0 call 535751 508 5328c2-5328c7 505->508 509 5328cc-5328d0 505->509 510 5329b0-5329b3 508->510 511 5328eb-5328f1 509->511 512 5328f3 511->512 513 5328d2-5328e8 511->513 516 5328f9-532919 GetNumberFormatA 512->516 514 5328f5-5328f7 513->514 515 5328ea 513->515 514->516 515->511 517 53291b 516->517 518 532929 516->518 519 53291d-532925 517->519 520 53292b-532936 518->520 519->519 521 532927 519->521 520->520 522 532938-53293a 520->522 521->522 523 532973-53298d GetNumberFormatA 522->523 524 53293c-53294c call 5332a4 522->524 526 532997-53299b 523->526 527 53298f-532993 523->527 530 53299d 524->530 531 53294e 524->531 526->526 526->530 527->527 529 532995 527->529 529->530 532 5329a2-5329af call 5332b9 530->532 533 532951-53296f 531->533 532->510 533->533 535 532971 533->535 535->532
    APIs
    • GetNumberFormatA.KERNEL32(0001E455,00016315,quoaehzdffud,00000000,?,00000022), ref: 00532915
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FormatNumber
    • String ID: MjnUJbuyIOJ$quoaehzdffud
    • API String ID: 481257995-3250296153
    • Opcode ID: 424f5d3687704048387117a70530e5bd6c059d99829a4c1bab230ad78564c987
    • Instruction ID: 0144df7c801c39ed2944a15f6c2bb0b788d9baa3bda104b04fd1c0d8b9e5a3ca
    • Opcode Fuzzy Hash: 424f5d3687704048387117a70530e5bd6c059d99829a4c1bab230ad78564c987
    • Instruction Fuzzy Hash: 3E315B32B00B59ABDB048FA98895AFE7F65BF55740F740079D981AB282D630DD86C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005357C7 Relevance: 4.6, APIs: 3, Instructions: 50COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 559 5357c7-5357ea GetTokenInformation 560 535830 559->560 561 5357ec-5357f5 GetLastError 559->561 563 535832-535836 560->563 561->560 562 5357f7-535806 call 5332a4 561->562 566 535808-53580a 562->566 567 53580c-535822 GetTokenInformation 562->567 566->563 567->560 568 535824-53582e call 5332b9 567->568 568->566
    APIs
    • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00001644,00000000,00000000,?,0053584B,00000000,00000000,?,00535877), ref: 005357E2
    • GetLastError.KERNEL32(?,0053584B,00000000,00000000,?,00535877,00000000,?,005347F6), ref: 005357EC
    • GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,?,?,0053584B,00000000,00000000,?,00535877,00000000,?,005347F6), ref: 0053581A
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: InformationToken$ErrorLast
    • String ID:
    • API String ID: 2567405617-0
    • Opcode ID: 240a8b84da76560735f8d085d98b11b1f8a5f4b0902d593f6d07131cbc3b2d4f
    • Instruction ID: d3ff842da7362b02ec3de87d98e7b2cde7d31a5b099860caf9c61f433f5f4a57
    • Opcode Fuzzy Hash: 240a8b84da76560735f8d085d98b11b1f8a5f4b0902d593f6d07131cbc3b2d4f
    • Instruction Fuzzy Hash: 5501AD35A10214BFCB209BA9CC88DABBFACFF95790F605465F906D3100EA30AE04D7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00541D7B Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetCurrentProcess.KERNEL32(00541EE6,?,00541D75,00000000,?,?,00541EE6,25D5FA14,?,00541EE6), ref: 00541D8C
    • TerminateProcess.KERNEL32(00000000,?,00541D75,00000000,?,?,00541EE6,25D5FA14,?,00541EE6), ref: 00541D93
    • ExitProcess.KERNEL32 ref: 00541DA5
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: f7b7711c2e2b7978c6dacd92c4232a4783f0fc4701a4292b1010624c10d49a23
    • Instruction ID: 8a8ddd510f026443f6f4cc3f41445d9e6ca00cee1742f831052c22f5b9c2f170
    • Opcode Fuzzy Hash: f7b7711c2e2b7978c6dacd92c4232a4783f0fc4701a4292b1010624c10d49a23
    • Instruction Fuzzy Hash: 51D09E75400504ABCF012F60DD0E9E93F2ABF563457018411B9094A131CF7199A7FA84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005327AE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 578 5327ae-5327e2 call 535751 581 5327e4-5327e9 578->581 582 5327ee-5327fa 578->582 583 532888-53288b 581->583 584 532817-532832 GetNumberFormatA 582->584 585 5327fc-53280c 582->585 588 532834-532838 584->588 589 53286f-532873 584->589 586 53280e-532815 585->586 587 53283c-53283e 585->587 586->584 586->585 587->584 592 532840-53284c call 5332a4 587->592 588->588 591 53283a 588->591 589->589 590 532875 589->590 593 53287a-532887 call 5332b9 590->593 591->590 592->590 598 53284e 592->598 593->583 599 532851-53286b 598->599 599->599 600 53286d 599->600 600->593
    APIs
    • GetNumberFormatA.KERNEL32(00000001,0000138A,aiodewio,00000000,?,00000022), ref: 0053282A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FormatNumber
    • String ID: aiodewio
    • API String ID: 481257995-3324628923
    • Opcode ID: f12ad33fc6d73e8037356b4bbc0684a7be90031b7b534e86bb780c6ad3eaf3c1
    • Instruction ID: c18d2795a7601150d661c3d8735abe1cb7ca9d394825267bea84f7abe6b29c44
    • Opcode Fuzzy Hash: f12ad33fc6d73e8037356b4bbc0684a7be90031b7b534e86bb780c6ad3eaf3c1
    • Instruction Fuzzy Hash: 63210A35B00B15ABD7148FA984955EEBFA5FFD5740F740069E546A7282DA30EE42C390
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00564227 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 601 564227-564233 602 564265-564270 call 56262a 601->602 603 564235-564237 601->603 610 564272-564274 602->610 605 564250-564261 RtlAllocateHeap 603->605 606 564239-56423a 603->606 607 564263 605->607 608 56423c-564243 call 5614b2 605->608 606->605 607->610 608->602 613 564245-56424e call 56d71f 608->613 613->602 613->605
    APIs
    • RtlAllocateHeap.NTDLL(00000000,00000014,00000000,J$V,0056DDA4,005AB2A8,00000014,00000003,00000028,00561E10,00000016,0054E26B), ref: 00564259
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID: J$V
    • API String ID: 1279760036-4054631523
    • Opcode ID: df8d4dc323faff2210a081df3d87f051f6dc8836e3e3e2069a8df5fcb13c5543
    • Instruction ID: 77ad751e441b3674a2315c00ae62e440848a639486cde506c763f83ef3622db8
    • Opcode Fuzzy Hash: df8d4dc323faff2210a081df3d87f051f6dc8836e3e3e2069a8df5fcb13c5543
    • Instruction Fuzzy Hash: F5E0923A6056216BDB312766BC29B6B7F59FFC27A0F390221FC1597091DF60DC809AA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056FAC2 Relevance: 3.2, APIs: 2, Instructions: 196fileCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 616 56fac2-56fae4 617 56fcd7 616->617 618 56faea-56faec 616->618 621 56fcd9-56fcdd 617->621 619 56faee-56fb0d call 56244c 618->619 620 56fb18-56fb3b 618->620 627 56fb10-56fb13 619->627 623 56fb41-56fb47 620->623 624 56fb3d-56fb3f 620->624 623->619 626 56fb49-56fb5a 623->626 624->623 624->626 628 56fb5c-56fb6a call 576f5f 626->628 629 56fb6d-56fb7d call 56f5f6 626->629 627->621 628->629 634 56fbc6-56fbd8 629->634 635 56fb7f-56fb85 629->635 638 56fc2f-56fc4f WriteFile 634->638 639 56fbda-56fbe0 634->639 636 56fb87-56fb8a 635->636 637 56fbae-56fbc4 call 56f1c7 635->637 642 56fb95-56fba4 call 56f58e 636->642 643 56fb8c-56fb8f 636->643 659 56fba7-56fba9 637->659 645 56fc51-56fc57 GetLastError 638->645 646 56fc5a 638->646 640 56fbe2-56fbe5 639->640 641 56fc1b-56fc28 call 56f673 639->641 647 56fc07-56fc19 call 56f837 640->647 648 56fbe7-56fbea 640->648 658 56fc2d 641->658 642->659 643->642 649 56fc6f-56fc72 643->649 645->646 653 56fc5d-56fc68 646->653 666 56fc02-56fc05 647->666 654 56fc75-56fc77 648->654 655 56fbf0-56fbfd call 56f74e 648->655 649->654 660 56fcd2-56fcd5 653->660 661 56fc6a-56fc6d 653->661 662 56fca5-56fcb1 654->662 663 56fc79-56fc7e 654->663 655->666 658->666 659->653 660->621 661->649 669 56fcb3-56fcb9 662->669 670 56fcbb-56fccd 662->670 667 56fc97-56fca0 call 5625f3 663->667 668 56fc80-56fc92 663->668 666->659 667->627 668->627 669->617 669->670 670->627
    APIs
      • Part of subcall function 0056F1C7: GetConsoleOutputCP.KERNEL32(25D5FA14,00000000,00000000,00000000), ref: 0056F22A
    • WriteFile.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,00000000,?,?,00000000,?,00000000), ref: 0056FC47
    • GetLastError.KERNEL32(?,00000000,?,?,00000000,?,00000000,?), ref: 0056FC51
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ConsoleErrorFileLastOutputWrite
    • String ID:
    • API String ID: 2915228174-0
    • Opcode ID: 6fd4707671f953fd2fa13104c52bfac6c6534e100023a41aaf9fe6d959c7b656
    • Instruction ID: cc57ebad3d3a7ec9514eedba1c19690dc703c1ae8550fc71078b3d84d38b3b65
    • Opcode Fuzzy Hash: 6fd4707671f953fd2fa13104c52bfac6c6534e100023a41aaf9fe6d959c7b656
    • Instruction Fuzzy Hash: 85619E71D0811AAFDF11DFA8E889AAEBFB9BF49304F140565E800A7216D732DD15DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00532AE0 Relevance: 3.1, APIs: 2, Instructions: 83COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • GetVolumeInformationW.KERNELBASE(00000000,?,00000105,00532BD8,00000000,00000000,00000000,00000000), ref: 00532B39
    • CharUpperBuffW.USER32(00000000,00000000), ref: 00532B8B
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: BuffCharInformationUpperVolume
    • String ID:
    • API String ID: 3850600697-0
    • Opcode ID: a92bb9f393dc2e02d042daaf7e12ce4be489f825c858d54d5abcc5da19b1225b
    • Instruction ID: 7103eca679bf17ffdba0ed51255a2f238fd9430e7f24154a33421b602480696d
    • Opcode Fuzzy Hash: a92bb9f393dc2e02d042daaf7e12ce4be489f825c858d54d5abcc5da19b1225b
    • Instruction Fuzzy Hash: 8D213271E00108BBDB14EBA9DC49EEEBBFDEB98710F10416AF506E3291DA705B44CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056F673 Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 693 56f673-56f6c8 call 585250 696 56f73d-56f74d call 5372e9 693->696 697 56f6ca 693->697 698 56f6d0 697->698 700 56f6d6-56f6d8 698->700 702 56f6f2-56f717 WriteFile 700->702 703 56f6da-56f6df 700->703 706 56f735-56f73b GetLastError 702->706 707 56f719-56f724 702->707 704 56f6e1-56f6e7 703->704 705 56f6e8-56f6f0 703->705 704->705 705->700 705->702 706->696 707->696 708 56f726-56f731 707->708 708->698 709 56f733 708->709 709->696
    APIs
    • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,0056FC2D,?,?,00000000,?,00000000,00000000), ref: 0056F70F
    • GetLastError.KERNEL32(?,0056FC2D,?,?,00000000,?,00000000,00000000,?,?,?,00000000,?,?,00000000,?), ref: 0056F735
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorFileLastWrite
    • String ID:
    • API String ID: 442123175-0
    • Opcode ID: e3ec7095382c98f4d32ca86f01a469fd0f6a3c261732234b1d1fd957f5f064b8
    • Instruction ID: f4209e4651dcaa25fe45e5052ae5ed8a7e3d82253d94606dfafa1cedaf1cbd21
    • Opcode Fuzzy Hash: e3ec7095382c98f4d32ca86f01a469fd0f6a3c261732234b1d1fd957f5f064b8
    • Instruction Fuzzy Hash: 56216075A002199BCB15CF29DC809E9BBBAFB59301F1441AAE946D7211D730EE46CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005640EB Relevance: 3.1, APIs: 2, Instructions: 65COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 710 5640eb-5640f0 711 5640f2-56410a 710->711 712 56410c-564110 711->712 713 564118-564121 711->713 712->713 714 564112-564116 712->714 715 564133 713->715 716 564123-564126 713->716 717 56418d-564191 714->717 720 564135-564142 GetStdHandle 715->720 718 56412f-564131 716->718 719 564128-56412d 716->719 717->711 721 564197-56419a 717->721 718->720 719->720 722 564144-564146 720->722 723 56416f-564181 720->723 722->723 725 564148-564151 GetFileType 722->725 723->717 724 564183-564186 723->724 724->717 725->723 726 564153-56415c 725->726 727 564164-564167 726->727 728 56415e-564162 726->728 727->717 729 564169-56416d 727->729 728->717 729->717
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 00564137
    • GetFileType.KERNELBASE(00000000), ref: 00564149
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FileHandleType
    • String ID:
    • API String ID: 3000768030-0
    • Opcode ID: d4aea9bc2ee451d39a2ef01bf51a71ca5137c329ad5a1f08bf18626943c6eae6
    • Instruction ID: 99354d758defb59537ff4d79c3635722e201d78a76f7c678dfa8e8dab942cb8d
    • Opcode Fuzzy Hash: d4aea9bc2ee451d39a2ef01bf51a71ca5137c329ad5a1f08bf18626943c6eae6
    • Instruction Fuzzy Hash: D11190316047515AC7304E3E8C88622BE99BBB7374B380B1AD5BA875F1C730D9C6EA40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00533FC8 Relevance: 3.0, APIs: 2, Instructions: 49libraryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 730 533fc8-533ff1 731 533ff3 730->731 732 53400e-534019 730->732 735 533ff9-53400c 731->735 733 534023-534028 LoadLibraryA 732->733 734 53401b-534021 GetModuleHandleA 732->734 736 53402a-53402c 733->736 734->736 735->732 735->735 737 53402e-534035 call 533f7d 736->737 738 53403d-534043 736->738 740 53403a-53403b 737->740 740->738
    APIs
    • GetModuleHandleA.KERNEL32(?), ref: 0053401B
    • LoadLibraryA.KERNELBASE(?), ref: 00534028
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: HandleLibraryLoadModule
    • String ID:
    • API String ID: 4133054770-0
    • Opcode ID: 3e927dabbdf31095f6d67d4f2bbaf54bbeff2cecf8e91b1019bbc6c5e8d838ae
    • Instruction ID: d7c0c3cf4d4b2e9d5de1fcd803cbfd7e2fa89c6c8f007624f11d24eee90a6a53
    • Opcode Fuzzy Hash: 3e927dabbdf31095f6d67d4f2bbaf54bbeff2cecf8e91b1019bbc6c5e8d838ae
    • Instruction Fuzzy Hash: FE01F531A041445FCB04DFBA98C889EBFB4EE4D610B5984A9E544DB251D630A905CFA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00535659 Relevance: 2.6, APIs: 2, Instructions: 94COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 741 535659-535681 743 535683-53568b GetLastError 741->743 744 535690-5356a1 call 53559f 741->744 745 53574e-535750 743->745 747 5356a6-5356ab 744->747 748 5356b1-5356b4 747->748 749 53573c-53574d 747->749 750 535732-535738 748->750 751 5356b6-5356cb call 5332a4 748->751 749->745 750->749 751->750 755 5356cd-5356da call 535633 751->755 755->750 758 5356dc-535703 call 53336e 755->758 762 535705-535719 GetLastError call 5332b9 758->762 763 53571b-535720 758->763 762->750 764 535722-535726 763->764 765 535729-53572e 763->765 764->765 765->750 767 535730 765->767 767->750
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: f458819c6eba6ef7aaa1aa05c259998bbeede33fb33f9282e5b94b6672990f17
    • Instruction ID: c0abc71f04b6dede38d329e020ae9d6ea54cf3b2456c42a1c543e689d3775020
    • Opcode Fuzzy Hash: f458819c6eba6ef7aaa1aa05c259998bbeede33fb33f9282e5b94b6672990f17
    • Instruction Fuzzy Hash: 5C314F35A00605EFDB10DFA8CD84BAEBBB5FF48750F104559F915AB291EB30AE05DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005333E1 Relevance: 1.7, APIs: 1, Instructions: 235registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 005335F5
      • Part of subcall function 00533055: MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,00000000,005334F5), ref: 0053307F
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ByteCharMultiOpenWide
    • String ID:
    • API String ID: 471680335-0
    • Opcode ID: f741da055093a95eadfdfd1da8fbd20d6d4bfe5f619e43f1c8c67259820a2f9e
    • Instruction ID: d156bf54b2dcaab27f5d37e0ceeb1be8b073c79fd8202406cfe90ec2a34f662a
    • Opcode Fuzzy Hash: f741da055093a95eadfdfd1da8fbd20d6d4bfe5f619e43f1c8c67259820a2f9e
    • Instruction Fuzzy Hash: 19914971E0020AAFDB11DF99CD499AEBFB8FF58310F144169F805AB261DB319B45DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005358A1 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053576A: GetCurrentThread.KERNEL32 ref: 0053577D
      • Part of subcall function 0053576A: GetLastError.KERNEL32(?,?,005358BB,00000000,00001644), ref: 0053578E
      • Part of subcall function 005357C7: GetTokenInformation.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00000000,00000000,00001644,00000000,00000000,?,0053584B,00000000,00000000,?,00535877), ref: 005357E2
      • Part of subcall function 005357C7: GetLastError.KERNEL32(?,0053584B,00000000,00000000,?,00535877,00000000,?,005347F6), ref: 005357EC
    • FindCloseChangeNotification.KERNELBASE(?,00000000,00000000,00001644), ref: 00535944
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$ChangeCloseCurrentFindInformationNotificationThreadToken
    • String ID:
    • API String ID: 3430231349-0
    • Opcode ID: 3d0cd88f7aa811a84541a80ed25041f2b41e9e3b972351bf3fa3434353821baa
    • Instruction ID: fcd603d52ffdcb669a19b3a9e3495d68c6d1a66365c52870fc537cac5cae9c0e
    • Opcode Fuzzy Hash: 3d0cd88f7aa811a84541a80ed25041f2b41e9e3b972351bf3fa3434353821baa
    • Instruction Fuzzy Hash: CC218176A00605EFCB10DFA9DC85BAEBBF9FF44710F105469E602E7251EB30AA05DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00562DA3 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: c4ac601d902018f61892d0c5175773614cd1b19a557e33cfe934097bbaa63c19
    • Instruction ID: 6460ee27148d1ba68d4f96dad2afb7d2f0f21bf7c726ebc8c1cdc429bb2b99ff
    • Opcode Fuzzy Hash: c4ac601d902018f61892d0c5175773614cd1b19a557e33cfe934097bbaa63c19
    • Instruction Fuzzy Hash: 1F016D33A00A155FCB169F68EC449673BB9FBC5330F240520F606CB154EA31EC4A9B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00532E24 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • GetFileAttributesW.KERNELBASE(?,00531BC5), ref: 00532E2A
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: 482700d63ed8e7632f798b9a6f244ff49e6c08935ec807873d96addba5bc00bf
    • Instruction ID: 1a80770da02688cea0fa49eeefa942854acb833289c09bf8067dc05fd79ab9b5
    • Opcode Fuzzy Hash: 482700d63ed8e7632f798b9a6f244ff49e6c08935ec807873d96addba5bc00bf
    • Instruction Fuzzy Hash: F9B092B62200004BC7584B389C889AE32906B08231BA94BACB027D60E0DE20D998AB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053328F Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
    Download Yara Rule
    APIs
    • HeapCreate.KERNELBASE(00000000,00096000,00000000,00531B52), ref: 00533298
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: CreateHeap
    • String ID:
    • API String ID: 10892065-0
    • Opcode ID: a8d3ba76a274a5d048ea54b704977fc757794718033106276482ec6a36cd67cf
    • Instruction ID: 9e83211ad85142cd28cb96feff17ac2f8db08e9b2f4701820e1c2e70e7a9ab18
    • Opcode Fuzzy Hash: a8d3ba76a274a5d048ea54b704977fc757794718033106276482ec6a36cd67cf
    • Instruction Fuzzy Hash: DCB012702C03045ED7500F109C0AB0035107355B42F100201F201B81D4CBB02018B508
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053559F Relevance: 1.3, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,005356A6,?,?,00000000), ref: 00535626
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 856f8c5c3cc212570ffcceb308f0e323acb1fc2d56a2d4f06d7bdfcf02a1c47c
    • Instruction ID: 2e94069603b2982c846cb0faeb3e9594a24e925f6fb175c784a6c0c94f85d10b
    • Opcode Fuzzy Hash: 856f8c5c3cc212570ffcceb308f0e323acb1fc2d56a2d4f06d7bdfcf02a1c47c
    • Instruction Fuzzy Hash: EC11E671A00108BFDB509FA9DD89D9F7FBCFB48740F4544A5B501E6161EA30EE04EB60
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 0053ABC1 Relevance: 51.4, APIs: 25, Strings: 4, Instructions: 665COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 0053ACB1
      • Part of subcall function 0053BB23: DName::operator+.LIBCMT ref: 0053BBB9
    • DName::operator+.LIBCMT ref: 0053AEFB
    • DName::operator+.LIBCMT ref: 0053AF30
    • DName::operator+.LIBCMT ref: 0053AF7F
    • DName::DName.LIBVCRUNTIME ref: 0053B31A
    • DName::operator+.LIBCMT ref: 0053B326
    • DName::operator+.LIBCMT ref: 0053B334
    • DName::operator+.LIBCMT ref: 0053B33F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$NameName::
    • String ID: && $\$[$\$[$\$[
    • API String ID: 168861036-688296583
    • Opcode ID: a31555db375fa50e84d799123a6b31268ebf1adeb9358654474c90a45f2365b8
    • Instruction ID: 1aaab0737801f957034adcd50065b79421bd15e2ffc86a4d2132c37d78553911
    • Opcode Fuzzy Hash: a31555db375fa50e84d799123a6b31268ebf1adeb9358654474c90a45f2365b8
    • Instruction Fuzzy Hash: 02427BB5D002099FDF19DFA4C499BEEBFB4BF58300F10455AF552A7291EB30AA44CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00539068 Relevance: 48.4, APIs: 25, Strings: 2, Instructions: 1103COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::DName.LIBVCRUNTIME ref: 005390C6
    • operator+.LIBVCRUNTIME ref: 005390E0
    • DName::operator+.LIBCMT ref: 00539214
    • DName::operator+.LIBCMT ref: 00539231
    • DName::operator+.LIBCMT ref: 00539280
      • Part of subcall function 0053A3F0: DName::DName.LIBVCRUNTIME ref: 0053A433
      • Part of subcall function 00538DCE: shared_ptr.LIBCMT ref: 00538DEA
      • Part of subcall function 0053AAEC: shared_ptr.LIBCMT ref: 0053AB9D
    • DName::operator+.LIBCMT ref: 005392F7
    • DName::operator+.LIBCMT ref: 00539306
    • DName::operator+.LIBCMT ref: 005397EB
    • DName::operator+.LIBCMT ref: 00539807
    • DName::operator+.LIBCMT ref: 00539A84
      • Part of subcall function 00538CBD: DName::operator+.LIBCMT ref: 00538CDE
    • DName::operator+.LIBCMT ref: 00539B88
    • DName::operator+.LIBCMT ref: 00539C5D
    • DName::operator+.LIBCMT ref: 00539D0B
    • DName::operator+.LIBCMT ref: 00539D48
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$NameName::shared_ptr$operator+
    • String ID: /$\$[
    • API String ID: 1847427470-3256142255
    • Opcode ID: 95c0e40852a14b6c40a6b9ba248caeeaa23015fec01bcf45d07035a3b2d870ca
    • Instruction ID: 06d6f190e26a61c5a6e12958c148635c7af28ead8aaffbdcf74853ce4a1c0de0
    • Opcode Fuzzy Hash: 95c0e40852a14b6c40a6b9ba248caeeaa23015fec01bcf45d07035a3b2d870ca
    • Instruction Fuzzy Hash: 878252B2D1020A9BDF19DFA4C895AEEBFF8BF58310F14452AE411E7290DBB49E44CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056D354 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0056D45C
    • IsValidCodePage.KERNEL32(00000000), ref: 0056D49A
    • IsValidLocale.KERNEL32(?,00000001), ref: 0056D4AD
    • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0056D4F5
    • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0056D510
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
    • String ID: 4$Z
    • API String ID: 415426439-2792738066
    • Opcode ID: ba033caa8b0e4586d11ca689cd9af81f15ed00e694b959ca8f53c9c6296a627d
    • Instruction ID: 8ce06b5c15b2a2159bf8933c5ba07913913dade26846d9fcca11624a775b58c1
    • Opcode Fuzzy Hash: ba033caa8b0e4586d11ca689cd9af81f15ed00e694b959ca8f53c9c6296a627d
    • Instruction Fuzzy Hash: 21518C71F0020AAAEF10DFA5DC45ABA7BB8BF55701F150829A901E7190EBB0AE44CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005723EF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 42f60fdc74fb36752e3f9bc777ffefe243b1222875c50eb750924b1250db9b23
    • Instruction ID: b1ec9cc31d8a40c29da31df9af615aa53ba514d6dc7b280fe73ab97e077151bd
    • Opcode Fuzzy Hash: 42f60fdc74fb36752e3f9bc777ffefe243b1222875c50eb750924b1250db9b23
    • Instruction Fuzzy Hash: 7DD25A71E082298FDB64CE28EC447EABBB5FB44310F1485EAD44DE7240E774AE85AF41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005313B0 Relevance: 9.1, APIs: 6, Instructions: 119pipeCOMMON
    Download Yara Rule
    APIs
    • CreateNamedPipeA.KERNEL32(00000000,00000003,00000006,000000FF,0000FA00,0000FA00,00000000,00000000), ref: 005313EB
    • ConnectNamedPipe.KERNEL32(000000FF,00000000), ref: 00531427
    • GetLastError.KERNEL32 ref: 0053143A
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: NamedPipe$ConnectCreateErrorLast
    • String ID:
    • API String ID: 3851520242-0
    • Opcode ID: 2579526040234395c67981c987a807f9b0fc302bf252786a2bb831fa9e5441c9
    • Instruction ID: 00b3f0d27acd31f94bbacd1ac7bd97b1ec92b97593d8738f3cecaef4bd9a2920
    • Opcode Fuzzy Hash: 2579526040234395c67981c987a807f9b0fc302bf252786a2bb831fa9e5441c9
    • Instruction Fuzzy Hash: E3416370E04B09EBDF20CBB0D949BBEBFB5BB40300F208965D506A61C0DBB49E45DB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056C9C1 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • GetACP.KERNEL32(?,?,?,?,?,?,00560242,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0056CA80
    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00560242,?,?,?,00000055,?,-00000050,?,?), ref: 0056CAB7
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0056CC1A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$CodeInfoLocalePageValid
    • String ID: 4$Z$utf8
    • API String ID: 607553120-3535788457
    • Opcode ID: 23ed4da63475deba2d494b705d82b7f4e65bb1128e808a6fdc4541713834ec54
    • Instruction ID: fa082ef41b925ebc70edf9fb313e398099c9ca41d6bddfdf79bfb316a5881940
    • Opcode Fuzzy Hash: 23ed4da63475deba2d494b705d82b7f4e65bb1128e808a6fdc4541713834ec54
    • Instruction Fuzzy Hash: DC710731A00607AADB24EB75CC4ABBA7FA8FF85700F14446AF985D7181FA74ED40D7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056D178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,0056D48A,00000002,00000000,?,?,?,0056D48A,?,00000000), ref: 0056D211
    • GetLocaleInfoW.KERNEL32(?,20001004,0056D48A,00000002,00000000,?,?,?,0056D48A,?,00000000), ref: 0056D23A
    • GetACP.KERNEL32(?,?,0056D48A,?,00000000), ref: 0056D24F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: fd50f89adae32a33750900d40037cc39680a959e1e73fab52f8aac941cba8aba
    • Instruction ID: f5b1cfec1b7d645bbd5311fc774892c3631f33df9eb1bc6d3859b78ad16dfb01
    • Opcode Fuzzy Hash: fd50f89adae32a33750900d40037cc39680a959e1e73fab52f8aac941cba8aba
    • Instruction Fuzzy Hash: CC21AC36F00100AADB348F54D915BA7BBBBBF96B60B568C25E90AD7200EB72DD41D370
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00571370 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ac5051c78aba52ebd887134601ea467777a9ae3aeef73f1af40b9177dc5327fc
    • Instruction ID: f02560232ead9f600eed56580c422b6d01af68902aa719fefe26c401982deb0d
    • Opcode Fuzzy Hash: ac5051c78aba52ebd887134601ea467777a9ae3aeef73f1af40b9177dc5327fc
    • Instruction Fuzzy Hash: B7023C71E016199FDF14CFA9D8806AEBBF1FF88314F248269D919E7341D731AA01DB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00568074 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
    Download Yara Rule
    APIs
    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0056810F
    • FindNextFileW.KERNEL32(00000000,?), ref: 0056818A
    • FindClose.KERNEL32(00000000), ref: 005681AC
    • FindClose.KERNEL32(00000000), ref: 005681CF
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Find$CloseFile$FirstNext
    • String ID:
    • API String ID: 1164774033-0
    • Opcode ID: 77cdb65f1f39136f2ea2856db2516255f4d68618221fe66d794788a3089c54f5
    • Instruction ID: f3b676fdd0a016334a189f6043936279eec48b3272acb0eaf5b3670724817130
    • Opcode Fuzzy Hash: 77cdb65f1f39136f2ea2856db2516255f4d68618221fe66d794788a3089c54f5
    • Instruction Fuzzy Hash: 5141D771A00619AFDB20EF64DC8DABABB79FF89315F044695E405D3140EF309E85CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00536C0A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00536C16
    • IsDebuggerPresent.KERNEL32 ref: 00536CE2
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00536D02
    • UnhandledExceptionFilter.KERNEL32(?), ref: 00536D0C
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: d200781cb991a06c10702b4a61371b36402373d3f49d2822beec37924604c302
    • Instruction ID: 7a689d16002875b56f05d40ac0b5b84a6cafb8c3015caee2eb4b01ab64cb2123
    • Opcode Fuzzy Hash: d200781cb991a06c10702b4a61371b36402373d3f49d2822beec37924604c302
    • Instruction Fuzzy Hash: AC3129B5D0521D9BDB20EFA4DD897DDBBB8BF18304F1044AAE40DAB250EB705A89DF44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056CDFC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0056CE50
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0056CE9A
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0056CF60
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: InfoLocale$ErrorLast
    • String ID:
    • API String ID: 661929714-0
    • Opcode ID: 108c956c21c7c4709f5a8c316002ab9e282c8f810616cf2ccabc79f3908a20a2
    • Instruction ID: 222dcd331f4667031be5ade27d577d7232e795aa943ae2b79620da73c294896d
    • Opcode Fuzzy Hash: 108c956c21c7c4709f5a8c316002ab9e282c8f810616cf2ccabc79f3908a20a2
    • Instruction Fuzzy Hash: 72618C71A10107AFDB289F24C886BBABBB9FF44310F10446AE905C7581FB34ED45DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005622A5 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0053121C), ref: 0056239D
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0053121C), ref: 005623A7
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0053121C), ref: 005623B4
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: f0f6ecdf1ca51bd8d8bd125885ba3dd454e69c675f864a75ecd62cb61b140a25
    • Instruction ID: b665efb3714046e48b28eae2370eb90df86e83f9a612d50e9ab78b74cb217535
    • Opcode Fuzzy Hash: f0f6ecdf1ca51bd8d8bd125885ba3dd454e69c675f864a75ecd62cb61b140a25
    • Instruction Fuzzy Hash: 9931D2B490122DABCB21DF25DC887DDBBB8BF58310F5045EAE41CA7250EB709B858F44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00555A8C Relevance: 2.9, Strings: 2, Instructions: 389COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0$]1T
    • API String ID: 0-2255247438
    • Opcode ID: f5125db33c838448577ca919c2ccb8b32fd32afd5ac3fb2b5220896041dad2a3
    • Instruction ID: ac03bf51be9e0d6164e116fc649634568125bc730181c811c753de2d7f2e7245
    • Opcode Fuzzy Hash: f5125db33c838448577ca919c2ccb8b32fd32afd5ac3fb2b5220896041dad2a3
    • Instruction Fuzzy Hash: 7AD1A134600B068FCB24CF68C5B9A7ABFB1FF48322B54465BDC569B691E730AD49CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056FE89 Relevance: 2.8, APIs: 1, Instructions: 1290COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID:
    • API String ID: 4168288129-0
    • Opcode ID: d0e7054d670d83b6d882064d6f9fb6342b5f3e40f7e5c0805b7d0f71c86d43a7
    • Instruction ID: c90874e02407ad2475fce103d175fa18b0f8fc03db3e5172a5e1535a16c62d25
    • Opcode Fuzzy Hash: d0e7054d670d83b6d882064d6f9fb6342b5f3e40f7e5c0805b7d0f71c86d43a7
    • Instruction Fuzzy Hash: 9AB23871E046298FDB65CE28ED407EABBF5FB84305F1495EAD80DA7280D774AE819F40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0057DC08 Relevance: 2.1, Strings: 1, Instructions: 887COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: |kZ
    • API String ID: 0-2937930400
    • Opcode ID: 706f35022d076a7da4ff9ad9d630fc52cd24b226db976abe5a50086bc3b7aa86
    • Instruction ID: cc9925e7209adc2549512deffe9cb73f0ff32a0c6a1afba21c89b6f58121ce62
    • Opcode Fuzzy Hash: 706f35022d076a7da4ff9ad9d630fc52cd24b226db976abe5a50086bc3b7aa86
    • Instruction Fuzzy Hash: D7823A75E002189FCB08CF59D495AACBBF2FF88314F2482ADE859AB341D7359946DF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0057D200 Relevance: 2.0, Strings: 1, Instructions: 733COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: |jZ
    • API String ID: 0-3053876193
    • Opcode ID: c85a85da97673c6cb1b395b91ef0165f1d6b68c7529e0b26a2ffdcdb728ccd20
    • Instruction ID: ececcb92597a108b2ccf66614d54ebf59ed06072b7b0b4e406b4a1f102feb514
    • Opcode Fuzzy Hash: c85a85da97673c6cb1b395b91ef0165f1d6b68c7529e0b26a2ffdcdb728ccd20
    • Instruction Fuzzy Hash: 97525E70A012159FDB18CF59D5847ADBFB1FF88318F28C1A9D808AB252D375DA46DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0057AD5D Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,00000001,?,00000008,?,?,0057AD58,00000001,?,00000008,?,?,0057A7F9,00000000), ref: 0057AF8A
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: a533a360388f52c387675f5a7fe3d7e8c8a7e97ab0a8b922ecf6a3ee9080c4a8
    • Instruction ID: 5ad0d6cbd2aa1a92ee4171b85234574b973c48bf55a36984eea81e7e611e613a
    • Opcode Fuzzy Hash: a533a360388f52c387675f5a7fe3d7e8c8a7e97ab0a8b922ecf6a3ee9080c4a8
    • Instruction Fuzzy Hash: DDB15971210608DFE715CF28D48AB697FA0FF85364F29C658E899CF2A1C335E981DB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00567C8A Relevance: 1.7, APIs: 1, Instructions: 191COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 337e73cb24c21586c35fcaebb7b187dd6d90c2387fa1e98a089fd441c29c3b88
    • Instruction ID: a3df0fdc9d6bf36e37f3bcb8704837015a3770208bd9e1374dd732c994ce9166
    • Opcode Fuzzy Hash: 337e73cb24c21586c35fcaebb7b187dd6d90c2387fa1e98a089fd441c29c3b88
    • Instruction Fuzzy Hash: C451B37580421DAFDB249FB8CC89ABABBB9FF89304F1446DDE40993241EA319E458B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00537109 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0053711F
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: f9749c058b4017118d4016d4583731a415c591dec98caef982ce2a8951b3b464
    • Instruction ID: a0b00b7c9a01ff96af86b7ab385ac590fd0d6ddc44a89779a3f9adb58aa78beb
    • Opcode Fuzzy Hash: f9749c058b4017118d4016d4583731a415c591dec98caef982ce2a8951b3b464
    • Instruction Fuzzy Hash: 7F51AEB1E0570ACBDB68DF94D8857AABBF0FB58300F24852AE405EB250E374A944DF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00555698 Relevance: 1.6, Strings: 1, Instructions: 385COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: fd558280967597c918fb3eafb09113bc482d17ec8d7410a42e450d586d1ac775
    • Instruction ID: aa4c209ce738da211072eec065a0d234ed04dc6cf3d40920cb4713be90bd4f20
    • Opcode Fuzzy Hash: fd558280967597c918fb3eafb09113bc482d17ec8d7410a42e450d586d1ac775
    • Instruction Fuzzy Hash: 4AD1B134A10A06CFCB24CF68C5B467ABFB1FF48352B64461FE8569B691E730AD49CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005545A2 Relevance: 1.6, Strings: 1, Instructions: 337COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 1cb098420453fa21b1f6b479c55736876b9dcf7bdd5bde049268f9e1f2e5ad04
    • Instruction ID: 40754dc280f3db78644c2f3cfb5ae08f181e2fcd5c271fdc6fc6924f99e743f1
    • Opcode Fuzzy Hash: 1cb098420453fa21b1f6b479c55736876b9dcf7bdd5bde049268f9e1f2e5ad04
    • Instruction Fuzzy Hash: CDC1E0309006869FCB24CE68C4B8ABABFA1FF4631AF14061BDD5297691D331AD8DCF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00554243 Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 57a6bea2ac49b6c7b93584bdfa301ba2a2fc3bc566b6e3a595fc530be5359651
    • Instruction ID: 3a04388f07907022c48c758ccf5034ae4bfbc4cc24a16824f0fac60ecd8f5f17
    • Opcode Fuzzy Hash: 57a6bea2ac49b6c7b93584bdfa301ba2a2fc3bc566b6e3a595fc530be5359651
    • Instruction Fuzzy Hash: 41C1CD749046068FCB24CE68C4A867ABFB1BF4530AF544A1BEC92976A1D730ADCDCF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00554910 Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 4af3d2b26597203a8900e36c47e61d18a4406b007a3e89a7ab6e6826af9fa599
    • Instruction ID: 54cce1126fbe5ec7968bd442ec3696ecd6d476c3bf47711c7b07e679fd6d340c
    • Opcode Fuzzy Hash: 4af3d2b26597203a8900e36c47e61d18a4406b007a3e89a7ab6e6826af9fa599
    • Instruction Fuzzy Hash: 65C1DD705006068FCB25CF68C5A96BABFB6BB8531AF144A1BDC5697691C330ED8DCF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056D04F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0056D0A3
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: c313bcbad2747500e9d3b4a54c4c9aacdef023ce4bd14ea3cd2892cd1b3cbc12
    • Instruction ID: a61b4e7543b233a8512cb3fae75caa5ddc975362edc7b8d497d8c1f5e62ac4b2
    • Opcode Fuzzy Hash: c313bcbad2747500e9d3b4a54c4c9aacdef023ce4bd14ea3cd2892cd1b3cbc12
    • Instruction Fuzzy Hash: 1821CC72B10206ABDB28AE25DC5AABA3BB8FB45310F14046AFD02C7141FA74ED45CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00554FCD Relevance: 1.6, Strings: 1, Instructions: 332COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: a8eb2772b140232036e9c7156b707432bd693fa6a713a9f22845d9da30d8e4e2
    • Instruction ID: 216db1c2c933fbbb6b42e8fefec6db6e1b4123bab635ca7eebcfed59632bf50b
    • Opcode Fuzzy Hash: a8eb2772b140232036e9c7156b707432bd693fa6a713a9f22845d9da30d8e4e2
    • Instruction Fuzzy Hash: 9EB1A335A00E068ACB24CFA8C9796BEBFB1BF44312F54491BDC5697690F730AD49CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00554C6F Relevance: 1.6, Strings: 1, Instructions: 328COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: ee1bc187e5221ce7d40cbe02ee62c913729a42cea6d86d8b3290db2b96790175
    • Instruction ID: 599a994077c792d6f1043f8102136700c53e1556fc5c803107c1bc198345e45b
    • Opcode Fuzzy Hash: ee1bc187e5221ce7d40cbe02ee62c913729a42cea6d86d8b3290db2b96790175
    • Instruction Fuzzy Hash: A3B1C070A0060A8BCB24CF68C5696BEBFB5BF8470AF14461FEC56A7650D730AD89CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055533A Relevance: 1.6, Strings: 1, Instructions: 328COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 681fe88d72f3d0bfee796d2f271067e7319df849ddc50a2a5128fc6813820b99
    • Instruction ID: 7771355ad36fc0ad864b0e0e236c4b5f548b4e6d6b72440e094536308fa0fcaf
    • Opcode Fuzzy Hash: 681fe88d72f3d0bfee796d2f271067e7319df849ddc50a2a5128fc6813820b99
    • Instruction Fuzzy Hash: 56B1C270A00A0ACBCF24CF68C5785BEBFB1BF84312F54491BD956A7A50F731A989CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00553BB0 Relevance: 1.6, Strings: 1, Instructions: 322COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 2aee7a663a27286bdb50a74fb09d2f7a0f74b748769b090d7b4ae53e5e139f15
    • Instruction ID: 1cfb2983b4a089ded544990e16e89f1cc621e65ac3b5fddb1f3651e5d0f733f7
    • Opcode Fuzzy Hash: 2aee7a663a27286bdb50a74fb09d2f7a0f74b748769b090d7b4ae53e5e139f15
    • Instruction Fuzzy Hash: 78B1C47090060B8BCB248E68C97A6BEBFB5BF44382F14061FDC5AA7651D731AF098B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055386E Relevance: 1.6, Strings: 1, Instructions: 318COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 0c0535b4c4bc0683336cec96aac2b58a342cecfda1f70115cc12d11ba7a996d0
    • Instruction ID: 1e983a8727a1212a7551b1e444b985feadde9951e188a91cfa01b30140639131
    • Opcode Fuzzy Hash: 0c0535b4c4bc0683336cec96aac2b58a342cecfda1f70115cc12d11ba7a996d0
    • Instruction Fuzzy Hash: E0B1B67090060B8BCB28CE68C5B56BEBFB1BF44392F14061BDC9A97691D771AB0DCB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00553F01 Relevance: 1.6, Strings: 1, Instructions: 318COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: 0
    • API String ID: 0-4108050209
    • Opcode ID: 5082658fbc4c9931d113cc494fc407102a3fc2c8929174cc02c5bd7fd6b94ac3
    • Instruction ID: 9b6c4ef2d819d48c6248b54fc34fae44aa257d7c609af38df9328f67ddeb67a0
    • Opcode Fuzzy Hash: 5082658fbc4c9931d113cc494fc407102a3fc2c8929174cc02c5bd7fd6b94ac3
    • Instruction Fuzzy Hash: 99B1D27090460B8BCB248E68C4796BEBFB0BF4034AF14061FED5A97691D735AA89CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056CCD6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • EnumSystemLocalesW.KERNEL32(0056CDFC,00000001,00000000,?,-00000050,?,0056D430,00000000,?,?,?,00000055,?), ref: 0056CD48
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 8c052094a4dca2910446224b034e1399f73b4e3447a8246e24355aa4ada8593f
    • Instruction ID: 8c1621866b3db3144f2eddda37e27a07183d7c90cfb7b57e69a37d602eb6ad3c
    • Opcode Fuzzy Hash: 8c052094a4dca2910446224b034e1399f73b4e3447a8246e24355aa4ada8593f
    • Instruction Fuzzy Hash: 3311E53A2047055FDB18AF39C8915BABFA2FFC0758B19443DE99687B40D771B942D740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056D27E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0056D018,00000000,00000000,?), ref: 0056D2AA
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale
    • String ID:
    • API String ID: 3736152602-0
    • Opcode ID: 51495af6f8c6ad2a9a689e73904441c56dc5d30fa5c79d0ae30fb4baf443c6be
    • Instruction ID: 580a06d910a88f2b48d3ac89f007739e297cc78b9c44ac0d91745e2b8ad3a72b
    • Opcode Fuzzy Hash: 51495af6f8c6ad2a9a689e73904441c56dc5d30fa5c79d0ae30fb4baf443c6be
    • Instruction Fuzzy Hash: A501DB36B001126BDB185624CC15BBA7F74FB80754F154829AC46A3180EA34FD41D6A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056CD71 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • EnumSystemLocalesW.KERNEL32(0056D04F,00000001,00000000,?,-00000050,?,0056D3F8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0056CDBB
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: d98828526cda936c8f0cdd882de6796c478fe893fc6557181b376fe4c89c273d
    • Instruction ID: af8cf53f7b5032c6cbeb26140c7a751e66cc8ca286c191a2fe5e98a9ab0096f4
    • Opcode Fuzzy Hash: d98828526cda936c8f0cdd882de6796c478fe893fc6557181b376fe4c89c273d
    • Instruction Fuzzy Hash: 8DF0C2763003446FDB145F359C85A7A7FA5FBC0368F05443DFA858B690DA71AC42D710
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00562779 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00561ECA: EnterCriticalSection.KERNEL32(-00065902,?,005665E8,?,005AB128,00000008,005669DB,?,0054D546,?,?,0054D546,0053121C,?,0056244A), ref: 00561ED9
    • EnumSystemLocalesW.KERNEL32(00562766,00000001,005AB028,0000000C,005630D0,00000000), ref: 005627B1
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: 75098a5a05f6931aa3a7e4c48f40e5bd51e7fa4dfa6a26ec9ca514ec4d3d16e8
    • Instruction ID: e736d1d15379887d185d68672083424b3117c7521ad934a9fbfb68b627a82e46
    • Opcode Fuzzy Hash: 75098a5a05f6931aa3a7e4c48f40e5bd51e7fa4dfa6a26ec9ca514ec4d3d16e8
    • Instruction Fuzzy Hash: 1FF03C76A40205DFD700EF98E84AB9D7BF0FB55721F00411AE514D72A1D775A909DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056CC6D Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00566DA1: GetLastError.KERNEL32(00000000,?,0056DCDC,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000,?,00000010), ref: 00566DA5
      • Part of subcall function 00566DA1: SetLastError.KERNEL32(00000000,?,?,?,00000000,00000001,00000006,000000FF,?,?,?,00000000,005432E0,?,?,0053121C), ref: 00566E47
    • EnumSystemLocalesW.KERNEL32(0056CBC6,00000001,00000000,?,?,0056D452,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0056CCA4
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem
    • String ID:
    • API String ID: 2417226690-0
    • Opcode ID: 3d52ccc358b415b037cf77560f0c5092d2395537e6027d84e9535d7798453404
    • Instruction ID: a01bb2da496aab1ffe91560234a7b36c55dbe8a528363c7d64921aa0e9bd098f
    • Opcode Fuzzy Hash: 3d52ccc358b415b037cf77560f0c5092d2395537e6027d84e9535d7798453404
    • Instruction Fuzzy Hash: D8F0E53A30020557DB04DF35D845A7A7FA4FFC1714B0A4059EB19CB250CA719C42D790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056325F Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00561047,?,20001004,00000000,00000002,?,?,005603AA), ref: 00563293
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID:
    • API String ID: 2299586839-0
    • Opcode ID: 8a9ef60f61dd9747cce1b108cfc97a2aad624a2778834305bbd753c3a1d543b6
    • Instruction ID: 95632fad8a5a6cb674ae98ebd0dca1153516f92fa255de4076f3a7fd6e289795
    • Opcode Fuzzy Hash: 8a9ef60f61dd9747cce1b108cfc97a2aad624a2778834305bbd753c3a1d543b6
    • Instruction Fuzzy Hash: 70E04F35500229BBCF122F61DC09AAE7F15FF95761F054415FD0566261CF718A21FAD4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00534540 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
    Download Yara Rule
    APIs
    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,00534A3B), ref: 00534553
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: InfoSystem
    • String ID:
    • API String ID: 31276548-0
    • Opcode ID: 321bf731fdbd02b568a24d24e52d97ac3c6f8ea5b90084a2ab0dbbd9d493a430
    • Instruction ID: faa792d459d0074c3b92ced56a7ba3b2cdc88d5f3d716d68d98663fc11df3483
    • Opcode Fuzzy Hash: 321bf731fdbd02b568a24d24e52d97ac3c6f8ea5b90084a2ab0dbbd9d493a430
    • Instruction Fuzzy Hash: 72C01272A0020956CF0497A5651A6BA77E85B44609F100056ED06F6081E961ED554660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00562918 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_00032766,00000001), ref: 00562932
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 0248aa08af85e1bb7f2e738e709f3e44df17a6daf61c9f0aa0e0a7bcc4ffa3f0
    • Instruction ID: 5e80b9f0e7bbcffd939ae05f8526257ceeb0796f197c5e53ded4075e28fc9f00
    • Opcode Fuzzy Hash: 0248aa08af85e1bb7f2e738e709f3e44df17a6daf61c9f0aa0e0a7bcc4ffa3f0
    • Instruction Fuzzy Hash: F5D0A7344403086BD700AF20FD0F8103F65F790720F000119F60C17260FA727546EA00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005628E6 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
    Download Yara Rule
    APIs
    • EnumSystemLocalesW.KERNEL32(Function_00032766,00000001), ref: 005628FC
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: EnumLocalesSystem
    • String ID:
    • API String ID: 2099609381-0
    • Opcode ID: 9b4b08504362d9031ef003b074bf8fed096326cd8bcb6fe3c8878be31d5dc2c3
    • Instruction ID: 931d7df324cfd323216b0edd2173bedf5ea33af0432e19ef38cc0824ae5e1680
    • Opcode Fuzzy Hash: 9b4b08504362d9031ef003b074bf8fed096326cd8bcb6fe3c8878be31d5dc2c3
    • Instruction Fuzzy Hash: 90D0C9745413049FD744EF34ED4E9103B61FB55710F10016DF61A9B6B0EA716549EA00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00536DA0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00006DAF,00536278), ref: 00536DA5
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 51bf2cf8e4937850c1eeb22da1100f0db43eb56f0fabbf04fd54a341d356a8a0
    • Instruction ID: 070b7d4c3ed9778f1dbf7231c2dc52bfbaa357cbbd484b4c628d9e25cc7ab5bb
    • Opcode Fuzzy Hash: 51bf2cf8e4937850c1eeb22da1100f0db43eb56f0fabbf04fd54a341d356a8a0
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005352FF Relevance: 1.4, Strings: 1, Instructions: 159COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: YUS
    • API String ID: 0-2843895154
    • Opcode ID: db4909dd59dab18db96f12550ba82f8c83915eca87af595f40be379563cb4782
    • Instruction ID: 1d7dc75b9508970df843bb91fd631d72edcad45efab1819ce41d69e2c33954f7
    • Opcode Fuzzy Hash: db4909dd59dab18db96f12550ba82f8c83915eca87af595f40be379563cb4782
    • Instruction Fuzzy Hash: E7517972E006099FDB48CFAEC8846DDFBF1AF88315F1485AED455E7341E674AA458B40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056D5EA Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: ea5987001bfcb646e90bd4b7322ecbc7e1b45d32bd63ad911721190444f5ba21
    • Instruction ID: 139ffc2d18f01e881b70c8049f90efe5a6ac019b6194037ab92b46c9ac5ab744
    • Opcode Fuzzy Hash: ea5987001bfcb646e90bd4b7322ecbc7e1b45d32bd63ad911721190444f5ba21
    • Instruction Fuzzy Hash: 2BA02230300200CF83808F38AECA30C3BE8AA222C0B0A022BE000C0030EF30A0C8FB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0058EC3F Relevance: .5, Instructions: 525COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 9e98f9d8aa3e06f511f55ce14a6c12815f67bb2788aa1fdb835ecdbb60ed9c37
    • Instruction ID: 00dd54fadb05b52b62179773aac6438b356386fcbe6f0d8f6deadb39d4614859
    • Opcode Fuzzy Hash: 9e98f9d8aa3e06f511f55ce14a6c12815f67bb2788aa1fdb835ecdbb60ed9c37
    • Instruction Fuzzy Hash: E0223D71A002259FDB26DF18CC81BAABBF9BB49704F1444EAE949FB245D7709E81CF41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00571CF0 Relevance: .4, Instructions: 402COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 40ab7b04520b53dddb1765171a97f79dcaee07a397e2e079d60b1b488abaf9d4
    • Instruction ID: 102614c2ea0fa7cb30d0f59b4ea842ac841535acb44874fa0e50145a24327f56
    • Opcode Fuzzy Hash: 40ab7b04520b53dddb1765171a97f79dcaee07a397e2e079d60b1b488abaf9d4
    • Instruction Fuzzy Hash: F6F17C71A002299FDB25DF18DC81BAABBB9FF86304F1480DAD94DA7241D7709E81DF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00555E8F Relevance: .4, Instructions: 385COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d3faa51fc310a87aeb034b3cabcbb085f275b7ed5a546467ac916bfb8d0bde2a
    • Instruction ID: c474b85a4230e1954fab05bc3cdb57f4583b00c412ac8780739130efc7aca646
    • Opcode Fuzzy Hash: d3faa51fc310a87aeb034b3cabcbb085f275b7ed5a546467ac916bfb8d0bde2a
    • Instruction Fuzzy Hash: 10D1BD74A00A468FCB24CF68C4B4A7EBFB1FF44316F54465BE8569B6A1E730AD49CB10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005844C0 Relevance: .4, Instructions: 380COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 22d32d588d6d48219a54d2052ec162130bd5e4f7525442c8a6c22564c4212c9d
    • Instruction ID: 77244942be7abdc19af53fa808c2c058b8376f20f1c8f3da688214bb9c2b6120
    • Opcode Fuzzy Hash: 22d32d588d6d48219a54d2052ec162130bd5e4f7525442c8a6c22564c4212c9d
    • Instruction Fuzzy Hash: 18028C755082158FC709CF18D4948FABBF1FF68310B1A86EADC999B366D3319980CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056C42E Relevance: .3, Instructions: 327COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID:
    • API String ID: 1452528299-0
    • Opcode ID: 7e59e40cd605dd1eea64810c2714a450ca7bb483a45588d889cab68de9e06077
    • Instruction ID: f72b9af62bc611f826c4f345e162d66678d7e09666e1a74eaae31d5113b35ca1
    • Opcode Fuzzy Hash: 7e59e40cd605dd1eea64810c2714a450ca7bb483a45588d889cab68de9e06077
    • Instruction Fuzzy Hash: 7BB105756007068BDB349B28CC96AB7BFA9FF94308F54446DE987C7680EA74E9858B10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005718A0 Relevance: .3, Instructions: 262COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: f22d74a03bc3b211af31eb1642f1b25f7fe84e879cabae70b7c80eb24edb5fcf
    • Instruction ID: e326c46fec0ad5048cfa315f209ff457b258b1f2c6df1253b4b3de184c314200
    • Opcode Fuzzy Hash: f22d74a03bc3b211af31eb1642f1b25f7fe84e879cabae70b7c80eb24edb5fcf
    • Instruction Fuzzy Hash: 8EA17F71A002198FCB24CF59D891BEDBBB5FF89314F1581EAD90DA7241E7309E859F84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005821A0 Relevance: .2, Instructions: 239COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 70e6cf0772f096129ec6ca1da8aa2c9da437c868f59faac14615b5cb91be3c34
    • Instruction ID: c3fb98f2d7a04c82060ad47d1fff1e96bf7b4cf1d67781b38899f5b0746ca0f4
    • Opcode Fuzzy Hash: 70e6cf0772f096129ec6ca1da8aa2c9da437c868f59faac14615b5cb91be3c34
    • Instruction Fuzzy Hash: 4F910A70A101298FCB08CF6DDC9547FBBF1FB5E301B45855AEA51EB291C238EA15DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0058F9AF Relevance: .2, Instructions: 156COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ac400911af7dd5e04da6e6ba566fb3fe42a7a9a4dc55ea0196dabb6dbc8e1ba5
    • Instruction ID: d616dd3a4023ac62369bc0b8c9ee8e293d7bafa2f8d61a866955bcd88bac8a16
    • Opcode Fuzzy Hash: ac400911af7dd5e04da6e6ba566fb3fe42a7a9a4dc55ea0196dabb6dbc8e1ba5
    • Instruction Fuzzy Hash: 8E517C72D00219EFDF04DF99C881AAEBFB2FF88310F598469E955BB201D7749A51CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00580800 Relevance: .1, Instructions: 124COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 563245e526623d9bd4de7b679c4b16e970cfe5cf4686e858c1ff716472efeb5a
    • Instruction ID: 5fc9cf59246bc9f95b2f08f11f8590e609ca2d8b1aae57f7e493b49a3bf27bcb
    • Opcode Fuzzy Hash: 563245e526623d9bd4de7b679c4b16e970cfe5cf4686e858c1ff716472efeb5a
    • Instruction Fuzzy Hash: 7231E4727006099BDBA4DD58D8903BAB7A6FF81314F1C4229CC46ABB85D631FD5ACB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00535EEE Relevance: .1, Instructions: 73COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 239c5cdd483dc4f883a7baca3fc0a2995026a08c470624c16adf9c9aa1a54db4
    • Instruction ID: 3f4cdffcc044dc3d3836ccd209c12ac18097185ed6a3929448c05a4579ed6b24
    • Opcode Fuzzy Hash: 239c5cdd483dc4f883a7baca3fc0a2995026a08c470624c16adf9c9aa1a54db4
    • Instruction Fuzzy Hash: FB2171367144129BD71CDF2CD896A69F3A5FB88300F45427ED51BCB682EB36E442CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053BDF9 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
    • String ID: \$[
    • API String ID: 2932655852-2545313564
    • Opcode ID: 45b187616c1ac80f3caaae6b72af083cd84f8b24ceb67915997b90314bd3a31b
    • Instruction ID: 6cb91e7bb41ce7387bb7a7a71abb6f947072523da0297d81c6fca99d806ff7e9
    • Opcode Fuzzy Hash: 45b187616c1ac80f3caaae6b72af083cd84f8b24ceb67915997b90314bd3a31b
    • Instruction Fuzzy Hash: 54C16071900209AFDB19EFA8D89A9FE7FB8BB58300F14055DF502A7291EF30A945DB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053A49F Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 359COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: shared_ptr$operator+$Name::operator+Name::operator=
    • String ID: |Y
    • API String ID: 1464150960-4190251829
    • Opcode ID: ec7eb03e2c8b504115195b304abf6b8ee9b1c1c29300f9b40e3a7ddf65e8673b
    • Instruction ID: 1621026ea1d64756e6f749bc8c35fe6bc8bdcf24f0bb91d47ac4678766b97921
    • Opcode Fuzzy Hash: ec7eb03e2c8b504115195b304abf6b8ee9b1c1c29300f9b40e3a7ddf65e8673b
    • Instruction Fuzzy Hash: 52E16EB2C0420A9FCF08DF94C499AFEBFB4FB54304F20852AE552A7251D7745A49CFA2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053D35D Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 0053D3C8
    • DName::operator+.LIBCMT ref: 0053D50B
      • Part of subcall function 00538DCE: shared_ptr.LIBCMT ref: 00538DEA
    • DName::operator+.LIBCMT ref: 0053D4B6
    • DName::operator+.LIBCMT ref: 0053D557
    • DName::operator+.LIBCMT ref: 0053D566
    • DName::operator+.LIBCMT ref: 0053D692
    • DName::operator=.LIBVCRUNTIME ref: 0053D6D2
    • DName::DName.LIBVCRUNTIME ref: 0053D6DC
    • DName::operator+.LIBCMT ref: 0053D6F9
    • DName::operator+.LIBCMT ref: 0053D705
      • Part of subcall function 0053EBCE: Replicator::operator[].LIBCMT ref: 0053EC0B
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
    • String ID:
    • API String ID: 1043660730-0
    • Opcode ID: 4e6678894cf602d7ebcdf35fa4f90f56de376b51fb1e333a1cc2b82e1ef7d245
    • Instruction ID: 3467f1b7e297284585907428b4b8e1d675992f88fe23cc15b860dde3538989d6
    • Opcode Fuzzy Hash: 4e6678894cf602d7ebcdf35fa4f90f56de376b51fb1e333a1cc2b82e1ef7d245
    • Instruction Fuzzy Hash: AFC1B1B19002099FCF18DFA4E859BEEBFF8BB54304F14445DF15AA7291EB75A948CB20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053EBCE Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 185COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBCMT ref: 0053EC0B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Replicator::operator[]
    • String ID: @$\$[$generic-type-$template-parameter-
    • API String ID: 3676697650-1312965378
    • Opcode ID: be01ee05619ed37b9d136e9b793df760dc4c22a4e7112f33e2f26c202df51c5f
    • Instruction ID: f62f2a4c6a258883b111bda6dc2404d84bcc2ebaeb3d48b5f1269ecc755bdf8b
    • Opcode Fuzzy Hash: be01ee05619ed37b9d136e9b793df760dc4c22a4e7112f33e2f26c202df51c5f
    • Instruction Fuzzy Hash: 38619071D002099BDB14DFA4D846BFEBFF8BF58310F144829E511A72E1EB74A909DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053DE43 Relevance: 15.3, APIs: 10, Instructions: 297COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 0053DF19
    • UnDecorator::getSignedDimension.LIBCMT ref: 0053DF24
    • UnDecorator::getSignedDimension.LIBCMT ref: 0053E010
    • UnDecorator::getSignedDimension.LIBCMT ref: 0053E02D
    • UnDecorator::getSignedDimension.LIBCMT ref: 0053E04A
    • DName::operator+.LIBCMT ref: 0053E05F
    • UnDecorator::getSignedDimension.LIBCMT ref: 0053E079
    • swprintf.LIBCMT ref: 0053E0F3
    • DName::operator+.LIBCMT ref: 0053E14E
      • Part of subcall function 00539E7A: DName::DName.LIBVCRUNTIME ref: 00539ED8
    • DName::DName.LIBVCRUNTIME ref: 0053E1C5
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
    • String ID:
    • API String ID: 3689813335-0
    • Opcode ID: aa4a9590d72e44016b6b9cb6bed590eb4fb5704ca1e99568b3681780605c31c5
    • Instruction ID: 106f36feb09725fdc9207fd542d2cef93cf7dc73db7df694777a93b6d614a084
    • Opcode Fuzzy Hash: aa4a9590d72e44016b6b9cb6bed590eb4fb5704ca1e99568b3681780605c31c5
    • Instruction Fuzzy Hash: CB917572D0420A96DF19EBB4E98E9BF7FBCBB54300F100519F102EA1D2DA74AA08D761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055D0AC Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: __aulldiv
    • String ID: :$f$f$f$p$p$p
    • API String ID: 3732870572-1434680307
    • Opcode ID: 0f6d2a7d6060760592ffb78559759b8497237619bfb8c994658b7990f1867300
    • Instruction ID: 8404a3c0a63f86379d14141625b0b14f03ccbf0a79a662f1a269507a1f8c4ec7
    • Opcode Fuzzy Hash: 0f6d2a7d6060760592ffb78559759b8497237619bfb8c994658b7990f1867300
    • Instruction Fuzzy Hash: 61027E7AA01119DADF308FA4C4646EDBF72FB40B1AFA0410BDC156B281E7709E8DCB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053A253 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 151COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 0053A2E1
    • DName::operator+.LIBCMT ref: 0053A334
      • Part of subcall function 00538DCE: shared_ptr.LIBCMT ref: 00538DEA
      • Part of subcall function 00538CBD: DName::operator+.LIBCMT ref: 00538CDE
    • DName::operator+.LIBCMT ref: 0053A325
    • DName::operator+.LIBCMT ref: 0053A385
    • DName::operator+.LIBCMT ref: 0053A392
    • DName::operator+.LIBCMT ref: 0053A3D9
    • DName::operator+.LIBCMT ref: 0053A3E6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$shared_ptr
    • String ID: |Y
    • API String ID: 1037112749-4190251829
    • Opcode ID: c86932d83de435f88235c26d9c6bb4c49ef7402a4161539a0b4196fc5c15e762
    • Instruction ID: dc9b45ff89742e693f0af494ef97c7d852cd6893911e19f1ae6d00fa57c8d088
    • Opcode Fuzzy Hash: c86932d83de435f88235c26d9c6bb4c49ef7402a4161539a0b4196fc5c15e762
    • Instruction Fuzzy Hash: 005163B1900219AFDF19DB94C899EEFBFB8BF58300F044559F502A7181EF709A44CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0054052B Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • type_info::operator==.LIBVCRUNTIME ref: 0054064A
    • ___TypeMatch.LIBVCRUNTIME ref: 00540758
    • _UnwindNestedFrames.LIBCMT ref: 005408AA
    • CallUnexpected.LIBVCRUNTIME ref: 005408C5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
    • String ID: csm$csm$csm
    • API String ID: 2751267872-393685449
    • Opcode ID: 67ccb657584cf26379bd9037851b1bbf8917aa84bb895614a7d576342c73d4ac
    • Instruction ID: ea9ce3c6c1d790419e926a55a0ed88d5ef0c03ba77d00d32acebd62c8120ca70
    • Opcode Fuzzy Hash: 67ccb657584cf26379bd9037851b1bbf8917aa84bb895614a7d576342c73d4ac
    • Instruction Fuzzy Hash: E0B1587180020AEFCF18DFA4C9849EEBFB5BF44318F255559EA016B292D731EA51CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00537650 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • _ValidateLocalCookies.LIBCMT ref: 00537687
    • ___except_validate_context_record.LIBVCRUNTIME ref: 0053768F
    • _ValidateLocalCookies.LIBCMT ref: 00537718
    • __IsNonwritableInCurrentImage.LIBCMT ref: 00537743
    • _ValidateLocalCookies.LIBCMT ref: 00537798
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
    • String ID: GzS$csm
    • API String ID: 1170836740-2539124384
    • Opcode ID: e0922411c6f29fc8f413491be5a0d2d95fc68503025afc85191d3384512bc939
    • Instruction ID: a970643768b8c2e7fa928ada287d2a9ae528b8e6ccb0580ffd116f4f5db32cc3
    • Opcode Fuzzy Hash: e0922411c6f29fc8f413491be5a0d2d95fc68503025afc85191d3384512bc939
    • Instruction Fuzzy Hash: DD41B3B4E0420D9BCF20DF6CC889A9EBFB5FF49324F148455E815AB352D731AA15CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005650AF Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: _strrchr
    • String ID:
    • API String ID: 3213747228-0
    • Opcode ID: 5ac5a49c7886aaee7d62bcf34ba0d18555b44b0380b87b5be532695983ebff54
    • Instruction ID: 53e045c096a1955a2e4277bb55fb2e54db142dbb26fc529487522d84e964d475
    • Opcode Fuzzy Hash: 5ac5a49c7886aaee7d62bcf34ba0d18555b44b0380b87b5be532695983ebff54
    • Instruction Fuzzy Hash: C6B19732A80B569FDB21CF24CC91BAEBFA5FF56750F244555E940AB382F3B49900C7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055DF7E Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 109COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(00000000,005B24E2,00000104), ref: 0055DFDB
      • Part of subcall function 005624F6: IsProcessorFeaturePresent.KERNEL32(00000017,005624C8,00000010,?,00000000,?,00000000,?,?,?,0055A397,00000000,00000000,00000000,00000000,00000000), ref: 005624F8
      • Part of subcall function 005624F6: GetCurrentProcess.KERNEL32(C0000417,?,00000010), ref: 0056251B
      • Part of subcall function 005624F6: TerminateProcess.KERNEL32(00000000), ref: 00562522
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Process$CurrentFeatureFileModuleNamePresentProcessorTerminate
    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program: $$[
    • API String ID: 872218275-544949332
    • Opcode ID: 3766105bf8605c829b79a87db4870ba2cd61a0f3f40a0e76c20732512823ebe0
    • Instruction ID: 425b6c0d818041e8f5273c037c56cc8d30a9bf83125270121afa307c8e857769
    • Opcode Fuzzy Hash: 3766105bf8605c829b79a87db4870ba2cd61a0f3f40a0e76c20732512823ebe0
    • Instruction Fuzzy Hash: 80214B3254420A67EF346A509C2FEAB3F5CBFE5756F400422FD08835A1FA61DB18D2A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00577724 Relevance: 9.3, APIs: 6, Instructions: 292COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d0d79613355c9ddc01cfe7732d9848852665d7aabd150ef52267f141a468d48a
    • Instruction ID: 150d2b193c5e610d79c38e2ab0a339189dc42036dd7ff9068e61b93fd73ebabb
    • Opcode Fuzzy Hash: d0d79613355c9ddc01cfe7732d9848852665d7aabd150ef52267f141a468d48a
    • Instruction Fuzzy Hash: 51B1F570A0824EABDB119F68F849BAD7FB1FF49304F148258E508A7392C770AE45DB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005793EB Relevance: 9.2, APIs: 6, Instructions: 248COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,005796BB,00000000,00000000,?,00000000,?,?,?,?,00000000,?), ref: 00579491
    • __freea.LIBCMT ref: 00579626
    • __freea.LIBCMT ref: 0057962C
    • __freea.LIBCMT ref: 00579662
    • __freea.LIBCMT ref: 00579668
    • __freea.LIBCMT ref: 00579678
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: __freea$Info
    • String ID:
    • API String ID: 541289543-0
    • Opcode ID: 1bf56ed5b5234e88f8b2275ed08ca9d5843ed81cc70941680774f5b57664a045
    • Instruction ID: 6a534be2bd8b513aa293bb8ed7d700fc8732dddbb09608dc78cf52473334640f
    • Opcode Fuzzy Hash: 1bf56ed5b5234e88f8b2275ed08ca9d5843ed81cc70941680774f5b57664a045
    • Instruction Fuzzy Hash: CA7107769002165FDF219EA4AC46FEE7FBABF89310F248159E90DA7281E735DC01A770
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053EA7A Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 0053EABE
    • DName::operator+.LIBCMT ref: 0053EACA
      • Part of subcall function 00538DCE: shared_ptr.LIBCMT ref: 00538DEA
    • DName::operator+=.LIBCMT ref: 0053EB88
      • Part of subcall function 0053D35D: DName::operator+.LIBCMT ref: 0053D3C8
      • Part of subcall function 0053D35D: DName::operator+.LIBCMT ref: 0053D692
      • Part of subcall function 00538CBD: DName::operator+.LIBCMT ref: 00538CDE
    • DName::operator+.LIBCMT ref: 0053EB45
      • Part of subcall function 00538E26: DName::operator=.LIBVCRUNTIME ref: 00538E47
    • DName::DName.LIBVCRUNTIME ref: 0053EBAC
    • DName::operator+.LIBCMT ref: 0053EBB8
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
    • String ID:
    • API String ID: 2795783184-0
    • Opcode ID: 8cb6f05eaed23d6b11c9980a99b26663119ed4e65e8507bc73a1255b6ac24e14
    • Instruction ID: bdbbc1ae520eee587387979716bea557d1a14448ef68bb88875ea5dc88a54963
    • Opcode Fuzzy Hash: 8cb6f05eaed23d6b11c9980a99b26663119ed4e65e8507bc73a1255b6ac24e14
    • Instruction Fuzzy Hash: C94183B0A04248AFDF1ADFA8D866AADBFF9BB59300F040458F156AB2D1DB346D44C754
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053D71B Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0053EBCE: Replicator::operator[].LIBCMT ref: 0053EC0B
    • DName::operator=.LIBVCRUNTIME ref: 0053D7C7
      • Part of subcall function 0053D35D: DName::operator+.LIBCMT ref: 0053D3C8
      • Part of subcall function 0053D35D: DName::operator+.LIBCMT ref: 0053D692
    • DName::operator+.LIBCMT ref: 0053D781
    • DName::operator+.LIBCMT ref: 0053D78D
    • DName::DName.LIBVCRUNTIME ref: 0053D7D1
    • DName::operator+.LIBCMT ref: 0053D7EE
    • DName::operator+.LIBCMT ref: 0053D7FA
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
    • String ID:
    • API String ID: 955152517-0
    • Opcode ID: c05c96ecaf63a0ece9b439643fb90abae2b57f59d11dea7bb0f50f73e86cb730
    • Instruction ID: dc2230c98d73add5d742a6ff60ab55ecafc8ec9f775c1e8c2f6abcc3ae04e233
    • Opcode Fuzzy Hash: c05c96ecaf63a0ece9b439643fb90abae2b57f59d11dea7bb0f50f73e86cb730
    • Instruction Fuzzy Hash: 4B31A1B1A00305AFDB18DF64E455AAABFF4FF98300F14885DE48697391EB34A908CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00538184 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,0053817B,00537C50,00536DF3), ref: 00538192
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005381A0
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005381B9
    • SetLastError.KERNEL32(00000000,0053817B,00537C50,00536DF3), ref: 0053820B
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 713edbf3e5eea2f4a7af11dea36d39c7f647cf25509bd084d739f495ede252c2
    • Instruction ID: 599bfb6a019c2207c0308bd1e7c9388deb7c46f7be7b0bcf2b720f44e1df36f5
    • Opcode Fuzzy Hash: 713edbf3e5eea2f4a7af11dea36d39c7f647cf25509bd084d739f495ede252c2
    • Instruction Fuzzy Hash: CC01D8725197126ED6182B746C8E9776FB4FB52775F30023AF912450E1EF614C06A254
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00541E10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,25D5FA14,?,?,00000000,00596F45,000000FF,?,00541DA1,00541EE6,?,00541D75,00000000), ref: 00541E45
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00541E57
    • FreeLibrary.KERNEL32(00000000,?,?,00000000,00596F45,000000FF,?,00541DA1,00541EE6,?,00541D75,00000000), ref: 00541E79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 0396fbd29dc12e9bf0a08c9c46218c57b6a8834790bd6fe04bc4f172ad257f6a
    • Instruction ID: dc63a980d6dc8b48a0fa23f0745820bdbb5903d078c4aad8fe928ec589ba2559
    • Opcode Fuzzy Hash: 0396fbd29dc12e9bf0a08c9c46218c57b6a8834790bd6fe04bc4f172ad257f6a
    • Instruction Fuzzy Hash: 03018F35A00619ABDB019F90DC09BBEBFB9FB05B14F040126E821E2290DB749844DA54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00562E9E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00562E57), ref: 00562EAD
    • GetLastError.KERNEL32(?,00562E57), ref: 00562EB7
    • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00562EF5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-$ext-ms-
    • API String ID: 3177248105-537541572
    • Opcode ID: d2cc78525480f0e5b6249aa1a8d3aa68ed8f389cb99398103e74f59a70f33882
    • Instruction ID: 07a3973f22a70210810c9ffe04d41b00a7efd33bdabd1cda9d018239c548ff43
    • Opcode Fuzzy Hash: d2cc78525480f0e5b6249aa1a8d3aa68ed8f389cb99398103e74f59a70f33882
    • Instruction Fuzzy Hash: 04F08C30684609BBEB201A60EC0AF3A3F59BB51B40F180430FD0CE95E0EFB6EC15E644
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053CD2D Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: operator+shared_ptr$NameName::
    • String ID:
    • API String ID: 2894330373-0
    • Opcode ID: 18bce175552c1aa3386f08fbb4575327d3e83bbefa77f1653e45f2910e3cd4c8
    • Instruction ID: 674af61d5d44476e4d4a202206eaf10cefebb9b8dda16c54ac80da8397922598
    • Opcode Fuzzy Hash: 18bce175552c1aa3386f08fbb4575327d3e83bbefa77f1653e45f2910e3cd4c8
    • Instruction Fuzzy Hash: FB6160B180420AEFCF15DF68D8489BD7FB9FB45304F148A6AF415AB221E731AA05DF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00537BA9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
    Download Yara Rule
    APIs
    • __is_exception_typeof.LIBVCRUNTIME ref: 00537C3D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: __is_exception_typeof
    • String ID: MOC$RCC$csm
    • API String ID: 3140442014-2671469338
    • Opcode ID: 0b41e68be55652cef56a8fbd7f1c70865681bcbe45c17f5fb5fa4ba3894daece
    • Instruction ID: c9ac0cb12df60d3b654aff0ef193cfb13a20bf2e5493a7ac84a6d8ef5cdd957c
    • Opcode Fuzzy Hash: 0b41e68be55652cef56a8fbd7f1c70865681bcbe45c17f5fb5fa4ba3894daece
    • Instruction Fuzzy Hash: 1D11DDB191870E9FC728AF54D405AA9BFF8FF48351F25409AF800AB261EB74ED40CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053874C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___swprintf_l.LIBCMT ref: 00538769
      • Part of subcall function 0053F203: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 0053F213
    • swprintf.LIBCMT ref: 0053878C
      • Part of subcall function 0053F21D: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0053F22F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
    • String ID: %lf$\$[
    • API String ID: 3672277462-772408046
    • Opcode ID: 2a04f5affb22fa66f34f5ce65269c31d0e264aebc76f857d31a42b8dac9e625d
    • Instruction ID: dbad28229fcf3e97fb6634f26585183608bd4425ecfd0cc89bd031531fba8ce8
    • Opcode Fuzzy Hash: 2a04f5affb22fa66f34f5ce65269c31d0e264aebc76f857d31a42b8dac9e625d
    • Instruction Fuzzy Hash: 4AF0C2A9500009BADB046B84DC4AFBF7FACEB85354F0140A8F68516141DB756E0093B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005387AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___swprintf_l.LIBCMT ref: 005387C5
      • Part of subcall function 0053F203: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 0053F213
    • swprintf.LIBCMT ref: 005387E8
      • Part of subcall function 0053F21D: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 0053F22F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ___swprintf_l__vswprintf_c_l_vsnprintfswprintf
    • String ID: %lf$\$[
    • API String ID: 3672277462-772408046
    • Opcode ID: a76c8277a8b7e6e8a4dee74d396bf4c6f25ccd20388b07d20075d1689f86ff0b
    • Instruction ID: ad6fffefde829d7faf9bf8b4cc5a7f93a14118ace854f3e765f1632c8638139b
    • Opcode Fuzzy Hash: a76c8277a8b7e6e8a4dee74d396bf4c6f25ccd20388b07d20075d1689f86ff0b
    • Instruction Fuzzy Hash: FFF0B4A9500009BADB046B94DC4EFBF7FACEF85794F018068FA4957242DB75AE0093B6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053F706 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0053F603,00000000,?,005B2418,?,?,?,0053F85A,00000004,InitializeCriticalSectionEx,0059FAA4,InitializeCriticalSectionEx), ref: 0053F713
    • GetLastError.KERNEL32(?,0053F603,00000000,?,005B2418,?,?,?,0053F85A,00000004,InitializeCriticalSectionEx,0059FAA4,InitializeCriticalSectionEx,00000000,?,005382B1), ref: 0053F71D
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0053F745
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: a2283524f9ae96462cdc0459deae4d4a1cbdc41c2d96fc257b44810b43260528
    • Instruction ID: 63642d3a1c11f2e0db441736b77f5ea4a8d3688367779ac18d0dc4dbe560a948
    • Opcode Fuzzy Hash: a2283524f9ae96462cdc0459deae4d4a1cbdc41c2d96fc257b44810b43260528
    • Instruction Fuzzy Hash: 1EE04F30A80208BBEF501BA0EC0EF693F59FB11B50F154431F90CE80E0DBA2E829A744
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056F1C7 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetConsoleOutputCP.KERNEL32(25D5FA14,00000000,00000000,00000000), ref: 0056F22A
      • Part of subcall function 0056989F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,?,00000000,?,?,?,00565C35,?,00000000,?), ref: 00569900
    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0056F47C
    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0056F4C2
    • GetLastError.KERNEL32 ref: 0056F565
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
    • String ID:
    • API String ID: 2112829910-0
    • Opcode ID: d0d768af173101a58c4eda3d90b0c8b5ff27b93cbfe11d927207dd20600a511a
    • Instruction ID: bfd792d08ef53362f04bd2ee713906ab4f905d5a6237d11bb6f17704e475fa35
    • Opcode Fuzzy Hash: d0d768af173101a58c4eda3d90b0c8b5ff27b93cbfe11d927207dd20600a511a
    • Instruction Fuzzy Hash: 6FD19BB5D042499FCF14CFA8E8849ADBFB5FF59300F28452AE826EB351E730A945CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053B478 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0053B47F
    • UnDecorator::getSymbolName.LIBCMT ref: 0053B511
    • DName::operator+.LIBCMT ref: 0053B615
    • DName::DName.LIBVCRUNTIME ref: 0053B6B8
      • Part of subcall function 00538DCE: shared_ptr.LIBCMT ref: 00538DEA
      • Part of subcall function 00539068: DName::DName.LIBVCRUNTIME ref: 005390C6
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
    • String ID:
    • API String ID: 1134295639-0
    • Opcode ID: 66e17ebfab07d28ae10835d79a10e5d42f1d931d21603ebeeead2737e26d7956
    • Instruction ID: d0fb2a544ac827cbf60fd6df620b34ca505439ba9cfd4b32a2554ee41af55909
    • Opcode Fuzzy Hash: 66e17ebfab07d28ae10835d79a10e5d42f1d931d21603ebeeead2737e26d7956
    • Instruction Fuzzy Hash: 1E715DB1D002099FEF14CF94D885AEEBFB4BF18310F14051AEA11AB262EB34A944DF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005402D4 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: AdjustPointer
    • String ID:
    • API String ID: 1740715915-0
    • Opcode ID: 4ae955ca7738208aaa9404a6ae90f38ed1224a3ff551bdbf6060941205eba3eb
    • Instruction ID: 166b62efa5fe04c32c08fa56ca46c84e4d640a6c47faad752b09e93965327b1a
    • Opcode Fuzzy Hash: 4ae955ca7738208aaa9404a6ae90f38ed1224a3ff551bdbf6060941205eba3eb
    • Instruction Fuzzy Hash: C651CC72605606EFDB298F14D885BFABFA4FF44318F245929EA02972D1E731EC81D790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053B848 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+.LIBCMT ref: 0053B87B
      • Part of subcall function 00538D92: DName::operator+=.LIBCMT ref: 00538DA8
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+Name::operator+=
    • String ID:
    • API String ID: 382699925-0
    • Opcode ID: 65bbbb0c8ba6103378bdb97ba5aa8f6a8d48286ef33b32f0e75c090f7edb1b31
    • Instruction ID: b84ae27eb96f176ffda3eaf9c1d2cbae7b243016206a0620a1cff1cc0a522ac7
    • Opcode Fuzzy Hash: 65bbbb0c8ba6103378bdb97ba5aa8f6a8d48286ef33b32f0e75c090f7edb1b31
    • Instruction Fuzzy Hash: AC411072D0420A9BEF04DFA8D489AFEBFF8FF44314F100519E611A7250DB749A88DB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053455F Relevance: 6.1, APIs: 4, Instructions: 97stringCOMMON
    Download Yara Rule
    APIs
    • GetCommandLineW.KERNEL32 ref: 00534574
    • CommandLineToArgvW.SHELL32(00000000,00000000), ref: 0053457F
    • lstrlenW.KERNEL32 ref: 005345C1
    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0053461A
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: CommandLine$ArgvCurrentDirectorylstrlen
    • String ID:
    • API String ID: 159791187-0
    • Opcode ID: f52b45509632394802dfbe16a87e4767bb58cff8912e99379481fc2201ccb047
    • Instruction ID: 35b96e8cc45bd77325557923c26f95c018cd7778bda8e0cd14c05cdbfc55d94a
    • Opcode Fuzzy Hash: f52b45509632394802dfbe16a87e4767bb58cff8912e99379481fc2201ccb047
    • Instruction Fuzzy Hash: 2231F475D00115ABCF289FA8D889ABDBFB4FF96314F10859AE412E3190DB74AE85CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00567855 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0056989F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,?,00000000,?,?,?,00565C35,?,00000000,?), ref: 00569900
    • GetLastError.KERNEL32 ref: 005678B9
    • __dosmaperr.LIBCMT ref: 005678C0
    • GetLastError.KERNEL32(?,?,?,?), ref: 005678FA
    • __dosmaperr.LIBCMT ref: 00567901
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
    • String ID:
    • API String ID: 1913693674-0
    • Opcode ID: 24b59e2c4fe180b120032fbcf947ca8df311fa35ccf838a251e2306a2cbecb65
    • Instruction ID: 820bdb79a3bb5bbcac1c5a87b96aa13ac5d9a6dc6d85ca60165c43eb68e7dcc7
    • Opcode Fuzzy Hash: 24b59e2c4fe180b120032fbcf947ca8df311fa35ccf838a251e2306a2cbecb65
    • Instruction Fuzzy Hash: 9F21AA7160460AAFDB20AF65C88897B7FA9FF98368B104929F85597150EB30ED50DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0056889A Relevance: 6.1, APIs: 4, Instructions: 79COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 759ad87117eef1a12794da5a3b4e4103af8e8771f590a1ac2783f7b715032acd
    • Instruction ID: cc6c9a9ee9518c80c83fdaa5185a8261aa3865ac49ea98550d80a22fae789739
    • Opcode Fuzzy Hash: 759ad87117eef1a12794da5a3b4e4103af8e8771f590a1ac2783f7b715032acd
    • Instruction Fuzzy Hash: 9621C031600607AFDB20AF60DC4897B7FA8FF91364B108A25FA15D7150EF30EC1497A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005699A6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 005699AE
      • Part of subcall function 0056989F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000001,?,00000000,?,?,?,00565C35,?,00000000,?), ref: 00569900
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005699E6
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00569A06
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: EnvironmentStrings$Free$ByteCharMultiWide
    • String ID:
    • API String ID: 158306478-0
    • Opcode ID: c951ef553e231b73c069d293a84a8af7fba8904027deabc8a740d1e3bbd15113
    • Instruction ID: fa5bcc9bd4bf316da21f687e5da0fa524de0f954b12631e6f18b1aac76df97eb
    • Opcode Fuzzy Hash: c951ef553e231b73c069d293a84a8af7fba8904027deabc8a740d1e3bbd15113
    • Instruction Fuzzy Hash: 7911ADF25015167F6A2167B56C8DCBF6D9CEEE67E4B150529F801D3100FE70CD01A5B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00576D73 Relevance: 6.1, APIs: 4, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 00576D89
    • GetLastError.KERNEL32(?,?,?,?), ref: 00576D96
    • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 00576DBC
    • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 00576DE2
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: FilePointer$ErrorLast
    • String ID:
    • API String ID: 142388799-0
    • Opcode ID: 336454a4526cd5fd26647f9a6c246b0a30231940c9a7f220ab7b443880be156c
    • Instruction ID: e7148da3d5d838a58b65329be7056f3a753be757a2acaea052610b8975add3ef
    • Opcode Fuzzy Hash: 336454a4526cd5fd26647f9a6c246b0a30231940c9a7f220ab7b443880be156c
    • Instruction Fuzzy Hash: B4115A75A1051ABBDF209F95DD089EF3F79FF01360F108155F928A61A0DB71DA44EBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0054E210 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(2T,2T,?,0054D546,0053121C,?,0056244A,?,?,?,?,?,00000000,005432E0,?,?), ref: 0054E21E
    • SetLastError.KERNEL32(J$V,?,0056244A,?,?,?,?,?,00000000,005432E0,?,?,0053121C,00000000,?,00000000), ref: 0054E254
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ErrorLast
    • String ID: J$V$2T
    • API String ID: 1452528299-2949957675
    • Opcode ID: 2c1c3025a5511e0ad9072534878635b28a2204ead0ee46179789796a904e0ef9
    • Instruction ID: 864cd247e6a3e1bb330d69ab02232e9400d228f230a6921d3d39a69eda066d85
    • Opcode Fuzzy Hash: 2c1c3025a5511e0ad9072534878635b28a2204ead0ee46179789796a904e0ef9
    • Instruction Fuzzy Hash: AA01A272804205AFC7109BA5D80AB9AFFADFF51714F248556E40883200EBB1ED61DBD0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005797B7 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 005797D1
    • GetLastError.KERNEL32 ref: 005797DD
      • Part of subcall function 00579886: CloseHandle.KERNEL32(FFFFFFFE,005798D0,?,005770A9,00000000,00000001,?,00000000,?,0056F5B9,00000000,00000000,00000000,00000000,00000000), ref: 00579896
    • ___initconout.LIBCMT ref: 005797ED
      • Part of subcall function 00579848: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00579877,00577096,00000000,?,0056F5B9,00000000,00000000,00000000,00000000), ref: 0057985B
    • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 00579801
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: 489eb04d904e83e26f6d2245869894802027ea86a01fcf53f79f19121fe585bf
    • Instruction ID: cd72434d7528ac768845c01b8b65c8e5e0fc4e4a79bed77fc226b07115b38a13
    • Opcode Fuzzy Hash: 489eb04d904e83e26f6d2245869894802027ea86a01fcf53f79f19121fe585bf
    • Instruction Fuzzy Hash: 6BF05E36100901ABCB222B96EC08D867FB6FFDA3217158416F64E82530DA329814BB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0057989D Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,005770A9,00000000,00000001,?,00000000,?,0056F5B9,00000000,00000000,00000000), ref: 005798B4
    • GetLastError.KERNEL32(?,005770A9,00000000,00000001,?,00000000,?,0056F5B9,00000000,00000000,00000000,00000000,00000000,?,0056FBA4,?), ref: 005798C0
      • Part of subcall function 00579886: CloseHandle.KERNEL32(FFFFFFFE,005798D0,?,005770A9,00000000,00000001,?,00000000,?,0056F5B9,00000000,00000000,00000000,00000000,00000000), ref: 00579896
    • ___initconout.LIBCMT ref: 005798D0
      • Part of subcall function 00579848: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00579877,00577096,00000000,?,0056F5B9,00000000,00000000,00000000,00000000), ref: 0057985B
    • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,005770A9,00000000,00000001,?,00000000,?,0056F5B9,00000000,00000000,00000000,00000000), ref: 005798E5
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
    • String ID:
    • API String ID: 2744216297-0
    • Opcode ID: f49b1eda5f98f4381808851561165eea70c8d260d52e9844c45ecc7223f67a37
    • Instruction ID: 76f09eebe306da78272689a8f4ec64fcc1db3bc5f938c955e38b2141ae74d69e
    • Opcode Fuzzy Hash: f49b1eda5f98f4381808851561165eea70c8d260d52e9844c45ecc7223f67a37
    • Instruction Fuzzy Hash: E6F0AC36500555BBCF622F95EC08ADA3F66FB5A3A1B058015FB1D95131CA328828BBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055CDE4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: __aulldiv
    • String ID: +$-
    • API String ID: 3732870572-2137968064
    • Opcode ID: e5f5c5de76f9dc621eeb51716576f680264a870e5b6e6edadf704e0ed8052834
    • Instruction ID: 0e3e0dfaab04af21ba67b739b03271378257c067926c20f8cec5466451730304
    • Opcode Fuzzy Hash: e5f5c5de76f9dc621eeb51716576f680264a870e5b6e6edadf704e0ed8052834
    • Instruction Fuzzy Hash: 74A1F331901249AFCF24CE78C8656FE7FB6FF45322F14855BEC61EB291D234990A8B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053DB18 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • Replicator::operator[].LIBCMT ref: 0053DB73
    • DName::DName.LIBVCRUNTIME ref: 0053DCBE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: NameName::Replicator::operator[]
    • String ID: \$[
    • API String ID: 3707554701-2545313564
    • Opcode ID: 0da4664a3da70e345595d5bdc1b2b0f13fac795d4478e9f98e9d90d4eb87ac7e
    • Instruction ID: 2664131ff15673ee7e2190b387c01188f00174b909a823b079f973f40d31dbc6
    • Opcode Fuzzy Hash: 0da4664a3da70e345595d5bdc1b2b0f13fac795d4478e9f98e9d90d4eb87ac7e
    • Instruction Fuzzy Hash: 4251C0719042499FCB29CFA8E4986AEFFF8BB55300F04815EE451A77A1DB71AD08CB71
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0055E310 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID:
    • String ID: C:\Users\user\Desktop\qd_x86.exe$+[
    • API String ID: 0-372409529
    • Opcode ID: 562791cd6a4b7340b478791aace3eca4e6dde2f45ee54ed9451557986fbd8edd
    • Instruction ID: 69e22bcfe1688772e1554d47f616a13f1d112ea65e6a3845703a74141fa31b3c
    • Opcode Fuzzy Hash: 562791cd6a4b7340b478791aace3eca4e6dde2f45ee54ed9451557986fbd8edd
    • Instruction Fuzzy Hash: 7231F571A00214EBCB259F99DC869AFBFACFB44351F15446BF80497201E670AF09DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 005408D0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?), ref: 005408F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: EncodePointer
    • String ID: MOC$RCC
    • API String ID: 2118026453-2084237596
    • Opcode ID: 1da7c0675ddb1ad92c9973d22a4a913c8e585f7c3d7bb35ae029260ee92b8549
    • Instruction ID: e93d940c0030c2d1628c48c6db1502f35f412cc346e886a48e68d64f87b39a42
    • Opcode Fuzzy Hash: 1da7c0675ddb1ad92c9973d22a4a913c8e585f7c3d7bb35ae029260ee92b8549
    • Instruction Fuzzy Hash: 6F418B32900209EFDF15DF94CC81AEEBFB5BF48308F248159FA05A7292D3359951DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053BD34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: NameName::
    • String ID: A
    • API String ID: 1333004437-3554254475
    • Opcode ID: ae5a41b8db182d8f4367b426af9eff774221dbd36b6e924b98e6a6f32dc55709
    • Instruction ID: df2a2fb5a0c3737e407781d6bf0fe259cd72693a1263390ccc1445ebb5927806
    • Opcode Fuzzy Hash: ae5a41b8db182d8f4367b426af9eff774221dbd36b6e924b98e6a6f32dc55709
    • Instruction Fuzzy Hash: F721CD70900209EFEF18DF94D846BAC7FB1FF84304F14888AF6559B261CB31AA45DB41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00538ED2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DName::operator+=.LIBCMT ref: 00538F04
      • Part of subcall function 00538BE3: pDNameNode::pDNameNode.LIBCMT ref: 00538C0B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name$Name::operator+=NodeNode::p
    • String ID: \$[
    • API String ID: 2687079329-2545313564
    • Opcode ID: b3abcbd5f91fc559c913ee897e1f5e85892eb44632209a0a78ba3d98474bd653
    • Instruction ID: b641eb927f00c1fc79b605044464050ad9c078fc35f4bfff4895ae06022fb38a
    • Opcode Fuzzy Hash: b3abcbd5f91fc559c913ee897e1f5e85892eb44632209a0a78ba3d98474bd653
    • Instruction Fuzzy Hash: B1F0E0A530871526CA2C2AA8585567BFF9FBFD5B14F04402EF54197242DD91DC41D3B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0053BCCF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.1983699035.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.1983678660.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983735957.0000000000598000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983753865.00000000005AD000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983766816.00000000005AE000.00000008.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983782987.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.1983795863.00000000005B4000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_qd_x86.jbxd
    Similarity
    • API ID: Name::operator+
    • String ID: \$[
    • API String ID: 2943138195-2545313564
    • Opcode ID: 87f6e5ba49994ea7efb02d04a6372725f611475d02e4700870021787f40caf9a
    • Instruction ID: f4ca7187cd3082250c296eef435a698e6469a0d61e8a6cbb3f7307fc3a3de517
    • Opcode Fuzzy Hash: 87f6e5ba49994ea7efb02d04a6372725f611475d02e4700870021787f40caf9a
    • Instruction Fuzzy Hash: E9F0497190071AABDB14AF94C819BDE7FA8FF54750F004458FA4557281DB70A945C7D0
    Uniqueness

    Uniqueness Score: -1.00%