Edit tour

Windows Analysis Report
S34C65xU.exe

Overview

General Information

Sample name:	S34C65xU.exe
Analysis ID:	1428818
MD5:	1cd84bbd0b0dc7c19bedc0f5d292070b
SHA1:	68840931dfaf6652cec3165b79de3daa9c100b64
SHA256:	58ec960ce6f2f0c2f04fb70915767bb2caebf6a7b63411e92fbee6cc9e9bbad7
Infos:

Detection

Score:	39
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	48
Range:	0 - 100

Signatures

Machine Learning detection for sample

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops certificate files (DER)

Found evasive API chain (may stop execution after checking a module file name)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample crashes during execution, try analyze it on another analysis machine

Process Tree

System is w10x64_ra

S34C65xU.exe (PID: 5760 cmdline: "C:\Users\user\Desktop\S34C65xU.exe" MD5: 1CD84BBD0B0DC7C19BEDC0F5D292070B)

Samsung_Driver_Installer.exe (PID: 4560 cmdline: "C:\Driver\Samsung_Driver_Installer.exe" MD5: 15770FC2AC6D46F841CB5B8E3C453F32)

WerFault.exe (PID: 5336 cmdline: C:\Windows\system32\WerFault.exe -u -p 4560 -s 1800 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Machine Learning detection for sample

Source: S34C65xU.exe

Joe Sandbox ML: detected

Compliance

Uses 32bit PE files

Source: S34C65xU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: S34C65xU.exe

Static PE information: certificate valid

Uses new MSVCR Dlls

Source: C:\Driver\Samsung_Driver_Installer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: S34C65xU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: UxTheme.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rsaenh.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: fastprox.pdbRSDS$ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rsaenh.pdbRSDS! source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptbase.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imagehlp.pdbRSDS y= source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcrypt.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: advapi32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ucrtbase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemcomn.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcrt.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: comctl32.pdbRSDS8 source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorjit.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: crypt32.pdbRSDSii source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptsp.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: advapi32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: comctl32v582.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ws2_32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: CLBCatQ.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: profapi.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shlwapi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernel32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: userenv.pdbRSDSo source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msasn1.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorsec.pdbRSDSjw) source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: win32u.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WLDP.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcr80.AMD64.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoreei.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoree.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imm32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: oleaut32.pdbRSDS/ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ws2_32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcryptprimitives.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\Visual Studio 2019\Projects\MonitorDriverWinForms\obj\Debug\Samsung_Driver_Installer.pdbH source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcrt.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gpapi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imm32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ole32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: version.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernel32.pdbRSDSJ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Management.pdbRSDSv3i source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msasn1.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WindowsCodecs.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\Visual Studio 2019\Projects\MonitorDriverWinForms\obj\Debug\Samsung_Driver_Installer.pdb source: S34C65xU.exe, 00000000.00000003.1110186783.0000000002912000.00000004.00000020.00020000.00000000.sdmp, WER3508.tmp.mdmp.5.dr, Samsung_Driver_Installer.exe.0.dr
Source:	Binary string: comctl32v582.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Kernel.Appcore.pdbRSDSX source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: DWrite.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Windows.Storage.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: combase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Drawing.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Management.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\Visual Studio 2019\Projects\MonitorDriverWinForms\obj\Debug\Samsung_Driver_Installer.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemprox.pdbRSDSo source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcr80.AMD64.pdbRSDSY source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: apphelp.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: user32.pdbRSDS(. source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernelbase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorlib.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rpcrt4.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32full.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: DWrite.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: UxTheme.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: win32u.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rpcrt4.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shcore.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcrypt.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gpapi.pdbRSDS+ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wmiutils.pdbRSDSk source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Windows.Storage.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shell32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoree.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcp_win.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: userenv.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcp_win.pdbRSDSO<+ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ntdll.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imagehlp.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32full.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorsec.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wmiutils.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdiplus.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorwks.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: profapi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WindowsCodecs.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: sechost.pdbRSDS2L source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WMINet_Utils.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ucrtbase.pdbRSDS:r source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: apphelp.pdbRSDSM source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WLDP.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorjit.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: sechost.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shcore.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shlwapi.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msctf.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernelbase.pdbRSDS" source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemcomn.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: fastprox.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemsvc.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msctf.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Amsi.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: version.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wintrust.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdiplus.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Drawing.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: user32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Kernel.Appcore.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ole32.pdbRSDS*= source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: CLBCatQ.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WMINet_Utils.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shell32.pdbRSDSE source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptbase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoreei.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcryptprimitives.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ntdll.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Amsi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: oleaut32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorwks.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wintrust.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemsvc.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: combase.pdbRSDSV source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptsp.pdbRSDS8 source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\KHK\Source\git\alzip-windows\alzip-windows.v11\ALZip\Bin\EGGSFX.pdb source: S34C65xU.exe, S34C65xU.exe, 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: IconCodecService.pdbRSDS8 source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: comctl32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemprox.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: crypt32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: IconCodecService.pdb source: WER3508.tmp.mdmp.5.dr

Spreading

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0040420F __EH_prolog3_GS,_memset,FindFirstFileW,RemoveDirectoryW,GetFileAttributesW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_0040420F
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00406766 __EH_prolog3_GS,GetDlgItem,_memset,GetWindowTextW,MessageBoxW,FindFirstFileW,MessageBoxW,FindClose,EndDialog,	0_2_00406766
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00406CB9 __EH_prolog3_GS,LoadIconW,SendMessageW,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,FindFirstFileW,FindClose,_memset,PathCompactPathExW,SetWindowTextW,SetWindowTextW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,_memset,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,	0_2_00406CB9
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0042FC86 FindFirstFileW,GetLastError,FindClose,SHGetFileInfoW,SHGetFileInfoW,SHGetFileInfoW,SHGetFileInfoW,	0_2_0042FC86

Software Vulnerabilities

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Driver\Samsung_Driver_Installer.exe

Code function: 4x nop then jmp 00007FF9D1DB2955h

2_2_00007FF9D1DB1519

Networking

Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: S34C65xU.exe, Samsung_Driver_Installer.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud

Drops certificate files (DER)

Source: C:\Users\user\Desktop\S34C65xU.exe	File created: C:\Driver\Manual_S34C65xU\S34C65xU.cat			Jump to dropped file
Source: C:\Users\user\Desktop\S34C65xU.exe	File created: C:\Driver\S34C65xU.cat			Jump to dropped file

System Summary

Detected potential crypto function

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00410073	0_2_00410073
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00405E69	0_2_00405E69
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043A060	0_2_0043A060
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043A359	0_2_0043A359
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0040E300	0_2_0040E300
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043830F	0_2_0043830F
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004323FD	0_2_004323FD
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004386CB	0_2_004386CB
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043C762	0_2_0043C762
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004487AB	0_2_004487AB
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00434868	0_2_00434868
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0041082C	0_2_0041082C
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004408B0	0_2_004408B0
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0044095D	0_2_0044095D
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0045096C	0_2_0045096C
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00438A0F	0_2_00438A0F
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0044EA8B	0_2_0044EA8B
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00434A97	0_2_00434A97
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00438DB1	0_2_00438DB1
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00440E32	0_2_00440E32
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00438EB6	0_2_00438EB6
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0044EFCF	0_2_0044EFCF
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004390E4	0_2_004390E4
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004331B6	0_2_004331B6
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00441206	0_2_00441206
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043D2DD	0_2_0043D2DD
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004112BA	0_2_004112BA
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0044F513	0_2_0044F513
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00441612	0_2_00441612
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0040F747	0_2_0040F747
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00441A32	0_2_00441A32
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00439A85	0_2_00439A85
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0040FB0D	0_2_0040FB0D
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0044FC0B	0_2_0044FC0B
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00433E23	0_2_00433E23
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00439EB2	0_2_00439EB2
Source: C:\Driver\Samsung_Driver_Installer.exe	Code function: 2_2_00007FF9D1DB0979	2_2_00007FF9D1DB0979

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: String function: 0044396C appears 43 times
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: String function: 00442764 appears 51 times
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: String function: 004426FB appears 221 times

One or more processes crash

Source: C:\Driver\Samsung_Driver_Installer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4560 -s 1800

Sample file is different than original file name gathered from version info

Source: S34C65xU.exe, 00000000.00000003.1110186783.0000000002912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSamsung_Driver_Installer.exeL vs S34C65xU.exe
Source: S34C65xU.exe, 00000000.00000003.1196372439.0000000000644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSamsung_Driver_Installer.exeL vs S34C65xU.exe
Source: S34C65xU.exe, 00000000.00000000.1108134487.0000000000488000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEGGSFX.sfx. vs S34C65xU.exe
Source: S34C65xU.exe, 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEGGSFX.sfx. vs S34C65xU.exe
Source: S34C65xU.exe	Binary or memory string: OriginalFilenameEGGSFX.sfx. vs S34C65xU.exe

Uses 32bit PE files

Source: S34C65xU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus39.evad.winEXE@4/12@0/0

Source: C:\Driver\Samsung_Driver_Installer.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4560

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\729adeb0-488a-4a23-aa81-8d6b88d7ec51

Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe

Command line argument: KD

0_2_00444B30

Source: C:\Users\user\Desktop\S34C65xU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe

File read: C:\Users\user\Desktop\S34C65xU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\S34C65xU.exe "C:\Users\user\Desktop\S34C65xU.exe"
Source: C:\Users\user\Desktop\S34C65xU.exe	Process created: C:\Driver\Samsung_Driver_Installer.exe "C:\Driver\Samsung_Driver_Installer.exe"
Source: C:\Driver\Samsung_Driver_Installer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4560 -s 1800
Source: C:\Users\user\Desktop\S34C65xU.exe	Process created: C:\Driver\Samsung_Driver_Installer.exe "C:\Driver\Samsung_Driver_Installer.exe"	Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\S34C65xU.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Driver\Samsung_Driver_Installer.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

PE / OLE file has a valid certificate

Source: S34C65xU.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: S34C65xU.exe

Static file information: File size 3593752 > 1048576

Uses new MSVCR Dlls

Source: C:\Driver\Samsung_Driver_Installer.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: S34C65xU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: UxTheme.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rsaenh.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: fastprox.pdbRSDS$ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rsaenh.pdbRSDS! source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptbase.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imagehlp.pdbRSDS y= source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcrypt.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: advapi32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ucrtbase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemcomn.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcrt.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: comctl32.pdbRSDS8 source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorjit.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Windows.Forms.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: crypt32.pdbRSDSii source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptsp.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: advapi32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: comctl32v582.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ws2_32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: CLBCatQ.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: profapi.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shlwapi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernel32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: userenv.pdbRSDSo source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msasn1.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorsec.pdbRSDSjw) source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: win32u.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WLDP.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcr80.AMD64.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoreei.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoree.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imm32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: oleaut32.pdbRSDS/ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ws2_32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcryptprimitives.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\Visual Studio 2019\Projects\MonitorDriverWinForms\obj\Debug\Samsung_Driver_Installer.pdbH source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcrt.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gpapi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imm32.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ole32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: version.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernel32.pdbRSDSJ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Management.pdbRSDSv3i source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msasn1.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WindowsCodecs.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorlib.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\Visual Studio 2019\Projects\MonitorDriverWinForms\obj\Debug\Samsung_Driver_Installer.pdb source: S34C65xU.exe, 00000000.00000003.1110186783.0000000002912000.00000004.00000020.00020000.00000000.sdmp, WER3508.tmp.mdmp.5.dr, Samsung_Driver_Installer.exe.0.dr
Source:	Binary string: comctl32v582.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Kernel.Appcore.pdbRSDSX source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: DWrite.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Windows.Storage.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: combase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Drawing.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Management.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\Visual Studio 2019\Projects\MonitorDriverWinForms\obj\Debug\Samsung_Driver_Installer.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemprox.pdbRSDSo source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcr80.AMD64.pdbRSDSY source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: apphelp.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: user32.pdbRSDS(. source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernelbase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorlib.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rpcrt4.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32full.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: DWrite.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: UxTheme.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: win32u.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: rpcrt4.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shcore.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcrypt.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gpapi.pdbRSDS+ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wmiutils.pdbRSDSk source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Windows.Storage.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shell32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoree.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcp_win.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: userenv.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msvcp_win.pdbRSDSO<+ source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ntdll.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: imagehlp.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32full.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorsec.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wmiutils.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdiplus.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorwks.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdi32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: profapi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WindowsCodecs.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: sechost.pdbRSDS2L source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WMINet_Utils.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ucrtbase.pdbRSDS:r source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: apphelp.pdbRSDSM source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WLDP.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorjit.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: sechost.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shcore.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shlwapi.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msctf.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: kernelbase.pdbRSDS" source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemcomn.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: fastprox.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemsvc.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: msctf.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Amsi.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: version.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wintrust.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: gdiplus.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Drawing.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: user32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: System.Windows.Forms.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Kernel.Appcore.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ole32.pdbRSDS*= source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: CLBCatQ.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: WMINet_Utils.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: shell32.pdbRSDSE source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptbase.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscoreei.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: bcryptprimitives.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: ntdll.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: Amsi.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: oleaut32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: mscorwks.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wintrust.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemsvc.pdbRSDS source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: combase.pdbRSDSV source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: cryptsp.pdbRSDS8 source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: D:\KHK\Source\git\alzip-windows\alzip-windows.v11\ALZip\Bin\EGGSFX.pdb source: S34C65xU.exe, S34C65xU.exe, 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: IconCodecService.pdbRSDS8 source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: comctl32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: wbemprox.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: crypt32.pdb source: WER3508.tmp.mdmp.5.dr
Source:	Binary string: IconCodecService.pdb source: WER3508.tmp.mdmp.5.dr

Data Obfuscation

Binary contains a suspicious time stamp

Source: Samsung_Driver_Installer.exe.0.dr

Static PE information: 0xC4A09AAF [Sun Jul 15 05:54:55 2074 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_004136CA LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004136CA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004427D3 push ecx; ret	0_2_004427E6
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_004439B1 push ecx; ret	0_2_004439C4
Source: C:\Driver\Samsung_Driver_Installer.exe	Code function: 2_2_00007FF9D1DB4388 push EDE0B849h; retf	2_2_00007FF9D1DB43A8

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\S34C65xU.exe

File created: C:\Driver\Samsung_Driver_Installer.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Driver\Samsung_Driver_Installer.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Driver\Samsung_Driver_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity Where DeviceID Like 'DISPLAY%'

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Driver\Samsung_Driver_Installer.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_VideoController

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Driver\Samsung_Driver_Installer.exe	Memory allocated: F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Memory allocated: 1AC00000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\S34C65xU.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-40763
Source: C:\Users\user\Desktop\S34C65xU.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-39453

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0040420F __EH_prolog3_GS,_memset,FindFirstFileW,RemoveDirectoryW,GetFileAttributesW,FindNextFileW,FindClose,RemoveDirectoryW,	0_2_0040420F
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00406766 __EH_prolog3_GS,GetDlgItem,_memset,GetWindowTextW,MessageBoxW,FindFirstFileW,MessageBoxW,FindClose,EndDialog,	0_2_00406766
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00406CB9 __EH_prolog3_GS,LoadIconW,SendMessageW,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,RtlEnterCriticalSection,RtlLeaveCriticalSection,_memset,FindFirstFileW,FindClose,_memset,PathCompactPathExW,SetWindowTextW,SetWindowTextW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetWindowTextW,SetWindowTextW,SetWindowTextW,SetWindowTextW,_memset,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,	0_2_00406CB9
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0042FC86 FindFirstFileW,GetLastError,FindClose,SHGetFileInfoW,SHGetFileInfoW,SHGetFileInfoW,SHGetFileInfoW,	0_2_0042FC86

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-42 27 b8 c1 67 22 50 4e-8b 1e 52 5b b1 3b 4a 34
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\S34C65xU.exe

API call chain: ExitProcess graph end node

graph_0-40764

Anti Debugging

Checks if the current process is being debugged

Source: C:\Driver\Samsung_Driver_Installer.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_0043E025 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0043E025

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_004136CA LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_004136CA

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043E025 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043E025
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00444D9E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00444D9E
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_00449993 SetUnhandledExceptionFilter,	0_2_00449993
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: 0_2_0043DE6E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043DE6E

Source: C:\Driver\Samsung_Driver_Installer.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_00408E7F _wcslen,_memset,ShellExecuteExW,WaitForSingleObject,WaitForSingleObject,PeekMessageW,TranslateMessage,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

0_2_00408E7F

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\S34C65xU.exe

Process created: C:\Driver\Samsung_Driver_Installer.exe "C:\Driver\Samsung_Driver_Installer.exe"

Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_0043A2F5 cpuid

0_2_0043A2F5

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: GetLocaleInfoA,		0_2_0044C1AE
Source: C:\Users\user\Desktop\S34C65xU.exe	Code function: GetLocaleInfoW,		0_2_0041F0FE

Queries the volume information (name, serial number etc) of a device

Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Driver\Samsung_Driver_Installer.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_0043FA7B GetSystemTimeAsFileTime,__aulldiv,

0_2_0043FA7B

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_00445936 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

0_2_00445936

Source: C:\Users\user\Desktop\S34C65xU.exe

Code function: 0_2_00405E69 __EH_prolog3_GS,GetVersion,MessageBoxW,PostMessageW,GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,SetWindowTextW,SetWindowTextW,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,GetDlgItem,SetWindowTextW,SetFocus,ShowWindow,KiUserCallbackDispatcher,EnableWindow,ShowWindow,GetDlgItem,GetDlgItem,SendMessageW,ShellExecuteW,SetWindowTextW,EnableWindow,SetTimer,PostMessageW,

0_2_00405E69

Source: C:\Driver\Samsung_Driver_Installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	22 Virtualization/Sandbox Evasion	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Query Registry	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Native API	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	231 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	22 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	31 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	134 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
S34C65xU.exe	8%	ReversingLabs
S34C65xU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Driver\Samsung_Driver_Installer.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers?	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://upx.sf.net	Amcache.hve.5.dr	false		high
http://www.fontbureau.com/designers	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carterandcone.coml	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.galapagosdesign.com/staff/dennis.htm	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.fontbureau.com/designers/frere-jones.html	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://www.sakkal.com	Samsung_Driver_Installer.exe, 00000002.00000002.1192644366.000000001CD02000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1428818
Start date and time:	2024-04-19 17:00:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	S34C65xU.exe
Detection:	SUS
Classification:	sus39.evad.winEXE@4/12@0/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 109 Number of non-executed functions: 103
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, evoke-windowsservices-tas.msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Samsung_Driver_Installer.exe, PID 4560 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: S34C65xU.exe

Simulations

Behavior and APIs

Time	Type	Description
17:00:49	API Interceptor	1x Sleep call for process: WerFault.exe modified

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	data
Category:	dropped
Size (bytes):	11673
Entropy (8bit):	7.188984887935079
Encrypted:	false
SSDEEP:	192:VqgJyOtSECFF3Ee2yKO3FWQFyG74+Wg5rH0BJhHX01k9z3AZ/Cn:Ab3FRwG7VdVUB3R9ziy
MD5:	4A1FD4ED8362D1C313C20893F0F438D8
SHA1:	FB2E9085857D12852E715E12DB1D6EB20962F9A4
SHA-256:	83B3563350106F5217C401C17CCA42B7D547604BCE40D9BFACB1EF65A2A5672F
SHA-512:	FA5166BC6ECF1C4E78DD728335A5042BF5227B30C14882B571430630964CB72743C2730F74DA5157DCF043ED84EC81F7029C7A9E029DCA911684A068CB959A4B
Malicious:	false
Reputation:	low
Preview:	0.-...*.H........-.0.-....1.0...`.H.e......0..K..+.....7.....<0..80...+.....7.....=....r.L..j..7yo..230414051838Z0...+.....7.....0..Z0....R1.7.A.F.3.2.2.9.6.0.2.7.3.5.A.2.6.4.6.9.D.2.6.7.E.6.6.D.6.5.B.2.E.6.3.5.2.E.9.7...1..Q0<..+.....7...1.0,...F.i.l.e........s.3.4.c.6.5.x.u...i.c.m...0E..+.....7...17050...+.....7.......0!0...+..........2)`'5.di.g.me..5..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0f..+.....7...1X0V...O.S.A.t.t.r.......@2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.1.0...0...0....R5.E.A.E.1.E.C.3.D.C.7.4.0.B.E.2.4.4.D.F.D.D.A.B.6.6.7.4.2.3.B.C.8.7.3.9.3.2.F.D...1..Q0<..+.....7...1.0,...F.i.l.e........s.3.4.c.6.5.x.u...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........^....t..D..ft#..92.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0f..+.....7...1X0V...O.S.A.t.t.r.......@2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.1.0...0.......0...0

C:\Driver\Manual_S34C65xU\S34C65xU.icm

Download File

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	Microsoft color profile 2.2, RGB/XYZ-mntr device by SEC, 536 bytes, 14-3-2017 13:56:00, PCS, 0x3030303030303030 MD5 "Samsung S27C90xP"
Category:	dropped
Size (bytes):	536
Entropy (8bit):	3.8303684686949593
Encrypted:	false
SSDEEP:	12:YNWcXOXOX+zWl58AskMzcXAlNdWL2GawtywRtRtTF2CL:BcuuZl58uMbletXXFFVL
MD5:	6C345E7641695AA518D305FE0D24694D
SHA1:	17AF3229602735A26469D267E66D65B2E6352E97
SHA-256:	AF8DC473F567F0885738F44AD02122C8CA27BBDEC1D7D77B74F4044A2762A591
SHA-512:	834126AB9F2D42772503469EDB497955905C7A73EADE70E541A578C5647D64A41C542A98A1850560D1E1668C2D687E97EC9F504EF64463FF90564AC6F466E4D8
Malicious:	false
Reputation:	low
Preview:	......... ..mntrRGB XYZ .........8..acspMSFT....SEC............................-SEC.00000000-00000000-00000000-00000000.............desc.......prXYZ...`....gXYZ...t....bXYZ........wtpt........rTRC........gTRC........bTRC........cprt.......8desc........Samsung S27C90xP....................................................................................XYZ .......V..E.....XYZ ......@.........XYZ ......$........XYZ ...............\curv.........3..curv.........3..curv.........3..text....Copyright(c) 2023 Samsung Electronics Co., Ltd..

C:\Driver\Manual_S34C65xU\S34C65xU.inf

Download File

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5646
Entropy (8bit):	5.52461206696134
Encrypted:	false
SSDEEP:	96:sGsM825xMs4MsKc8Msqg9sJ7m5/5UGtrMT:s7M8ExmsYBQ5/5UGtC
MD5:	F5EF5F497119CE33CC67885EBC562AE6
SHA1:	5EAE1EC3DC740BE244DFDDAB667423BC873932FD
SHA-256:	35768E8E4FD77DA64EC94A00AA842C224321F89690ABC5316372B289B09B6B49
SHA-512:	1296B94189C18085F4757CAA5F099AFACBD7916D38A97B63F66769EB661641AB966069674623152B31B4CA3A7911535FDBA7B0075FC9B741E753B452BE85A45A
Malicious:	false
Reputation:	low
Preview:	;==================================================..; S34C65xU.inf 04/14/2023 ver. 1.0Y..;..; Copyright 2023 Samsung Electronics Corporation..;..; This is a Setup information file for Samsung Monitor. ..;==================================================....[Version]..signature="$CHICAGO$"..Class=Monitor..ClassGuid={4D36E96E-E325-11CE-BFC1-08002BE10318}..Provider=%Samsung%..CatalogFile=S34C65xU.cat..DriverVer=04/14/2023,1.0.0.0....;==================================================..[ControlFlags]..ExcludeFromSelect.nt=Monitor\SAM73FC..ExcludeFromSelect.nt=Monitor\SAM73FD..ExcludeFromSelect.nt=Monitor\SAM73FB..ExcludeFromSelect.nt=Monitor\SAM73FF..ExcludeFromSelect.nt=Monitor\SAM73FE..ExcludeFromSelect.nt=Monitor\SAM7401..ExcludeFromSelect.nt=Monitor\SAM7400....[DestinationDirs]..DefaultDestDir = 11..S34C65xU_HDMI_20.CopyFiles = 23..S34C65xU_HDMI_14.CopyFiles = 23..S34C65xU_VRR.CopyFiles = 23..S34C65xU_DP_11.CopyFiles = 23..S34C65xU_DP_14.CopyFiles = 23..S34C65xU_USBC_11.CopyFiles = 2

C:\Driver\S34C65xU.cat

Download File

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	data
Category:	dropped
Size (bytes):	11673
Entropy (8bit):	7.188984887935079
Encrypted:	false
SSDEEP:	192:VqgJyOtSECFF3Ee2yKO3FWQFyG74+Wg5rH0BJhHX01k9z3AZ/Cn:Ab3FRwG7VdVUB3R9ziy
MD5:	4A1FD4ED8362D1C313C20893F0F438D8
SHA1:	FB2E9085857D12852E715E12DB1D6EB20962F9A4
SHA-256:	83B3563350106F5217C401C17CCA42B7D547604BCE40D9BFACB1EF65A2A5672F
SHA-512:	FA5166BC6ECF1C4E78DD728335A5042BF5227B30C14882B571430630964CB72743C2730F74DA5157DCF043ED84EC81F7029C7A9E029DCA911684A068CB959A4B
Malicious:	false
Reputation:	low
Preview:	0.-...*.H........-.0.-....1.0...`.H.e......0..K..+.....7.....<0..80...+.....7.....=....r.L..j..7yo..230414051838Z0...+.....7.....0..Z0....R1.7.A.F.3.2.2.9.6.0.2.7.3.5.A.2.6.4.6.9.D.2.6.7.E.6.6.D.6.5.B.2.E.6.3.5.2.E.9.7...1..Q0<..+.....7...1.0,...F.i.l.e........s.3.4.c.6.5.x.u...i.c.m...0E..+.....7...17050...+.....7.......0!0...+..........2)`'5.di.g.me..5..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0f..+.....7...1X0V...O.S.A.t.t.r.......@2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.1.0...0...0....R5.E.A.E.1.E.C.3.D.C.7.4.0.B.E.2.4.4.D.F.D.D.A.B.6.6.7.4.2.3.B.C.8.7.3.9.3.2.F.D...1..Q0<..+.....7...1.0,...F.i.l.e........s.3.4.c.6.5.x.u...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........^....t..D..ft#..92.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0f..+.....7...1X0V...O.S.A.t.t.r.......@2.:.5...0.0.,.2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.1.0...0.......0...0

C:\Driver\S34C65xU.icm

Download File

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	Microsoft color profile 2.2, RGB/XYZ-mntr device by SEC, 536 bytes, 14-3-2017 13:56:00, PCS, 0x3030303030303030 MD5 "Samsung S27C90xP"
Category:	dropped
Size (bytes):	536
Entropy (8bit):	3.8303684686949593
Encrypted:	false
SSDEEP:	12:YNWcXOXOX+zWl58AskMzcXAlNdWL2GawtywRtRtTF2CL:BcuuZl58uMbletXXFFVL
MD5:	6C345E7641695AA518D305FE0D24694D
SHA1:	17AF3229602735A26469D267E66D65B2E6352E97
SHA-256:	AF8DC473F567F0885738F44AD02122C8CA27BBDEC1D7D77B74F4044A2762A591
SHA-512:	834126AB9F2D42772503469EDB497955905C7A73EADE70E541A578C5647D64A41C542A98A1850560D1E1668C2D687E97EC9F504EF64463FF90564AC6F466E4D8
Malicious:	false
Reputation:	low
Preview:	......... ..mntrRGB XYZ .........8..acspMSFT....SEC............................-SEC.00000000-00000000-00000000-00000000.............desc.......prXYZ...`....gXYZ...t....bXYZ........wtpt........rTRC........gTRC........bTRC........cprt.......8desc........Samsung S27C90xP....................................................................................XYZ .......V..E.....XYZ ......@.........XYZ ......$........XYZ ...............\curv.........3..curv.........3..curv.........3..text....Copyright(c) 2023 Samsung Electronics Co., Ltd..

C:\Driver\S34C65xU.inf

Download File

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	Windows setup INFormation
Category:	dropped
Size (bytes):	5646
Entropy (8bit):	5.52461206696134
Encrypted:	false
SSDEEP:	96:sGsM825xMs4MsKc8Msqg9sJ7m5/5UGtrMT:s7M8ExmsYBQ5/5UGtC
MD5:	F5EF5F497119CE33CC67885EBC562AE6
SHA1:	5EAE1EC3DC740BE244DFDDAB667423BC873932FD
SHA-256:	35768E8E4FD77DA64EC94A00AA842C224321F89690ABC5316372B289B09B6B49
SHA-512:	1296B94189C18085F4757CAA5F099AFACBD7916D38A97B63F66769EB661641AB966069674623152B31B4CA3A7911535FDBA7B0075FC9B741E753B452BE85A45A
Malicious:	false
Reputation:	low
Preview:	;==================================================..; S34C65xU.inf 04/14/2023 ver. 1.0Y..;..; Copyright 2023 Samsung Electronics Corporation..;..; This is a Setup information file for Samsung Monitor. ..;==================================================....[Version]..signature="$CHICAGO$"..Class=Monitor..ClassGuid={4D36E96E-E325-11CE-BFC1-08002BE10318}..Provider=%Samsung%..CatalogFile=S34C65xU.cat..DriverVer=04/14/2023,1.0.0.0....;==================================================..[ControlFlags]..ExcludeFromSelect.nt=Monitor\SAM73FC..ExcludeFromSelect.nt=Monitor\SAM73FD..ExcludeFromSelect.nt=Monitor\SAM73FB..ExcludeFromSelect.nt=Monitor\SAM73FF..ExcludeFromSelect.nt=Monitor\SAM73FE..ExcludeFromSelect.nt=Monitor\SAM7401..ExcludeFromSelect.nt=Monitor\SAM7400....[DestinationDirs]..DefaultDestDir = 11..S34C65xU_HDMI_20.CopyFiles = 23..S34C65xU_HDMI_14.CopyFiles = 23..S34C65xU_VRR.CopyFiles = 23..S34C65xU_DP_11.CopyFiles = 23..S34C65xU_DP_14.CopyFiles = 23..S34C65xU_USBC_11.CopyFiles = 2

C:\Driver\Samsung_Driver_Installer.exe

Download File

Process:	C:\Users\user\Desktop\S34C65xU.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3338752
Entropy (8bit):	7.994420891570565
Encrypted:	true
SSDEEP:	98304:L50fzFWwF9GHRm707c97Yj7pdFkhebQHGwx/:V0fJ8xU7Yjld2h8QmO
MD5:	15770FC2AC6D46F841CB5B8E3C453F32
SHA1:	271BFDACFBF864A5A42E4E99C8687BD7E76B6381
SHA-256:	9E81D01ACF9F8FBAB2D551668B29A8E6F0017EE79D651BD3320BF0E51282CC5A
SHA-512:	2C944A34C8026494DA7600CD2713AA9C75D385D7737B8F820F9D75840F58A239CE48426CBC8A1BD93C6310426954608DE8974F55B69AD731B5062C4F2DF038A4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...2...........2.. ....2...@.. ....................... 3.......3...@.................................p.2.O.....2...............2......3.......2.8............................................ ............... ..H............text....2.. ....2................. ..`.rsrc.........2.......2.............@..@.reloc........3.......2.............@..B..................2.....H........1..P>..........do..`W2.........................................^..}.....(.......(......0..?.........(....o....r...po ....s!.....o"....o#.....o"....o$.....o%...&..0..+.........,..{.......+....,...{....o........(&....6..s'...}....z..}.....((......(......(......0...........r...p.r...ps)......o...o+....+H.o,...t.......re..po-...o...........,!.r}..p.re..po-...o....r...p(/......o0...-....,..o.......r...po1.......,.r...p....+..............Ts.......0..t........r...p.r

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Samsung_Driver_I_8eed55e27c43b9c57636aa58c88d2e557d153d1_0cdd0738_c03bf17d-4e1a-409e-83ae-3bc1cc2052fe\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2073508070152252
Encrypted:	false
SSDEEP:	192:GiyU/wHD0kOiRaB89oHomV4b2svwuZFuO38XFzuiFhZ24lO8zp:0U/wHwkOiRava3ezuiFhY4lO89
MD5:	CDF213E8902C90D195DDCF9D1A1973DB
SHA1:	A85EDEA62173510C5436296221540C47E247619A
SHA-256:	9AC2858EDE5C233203D76D0C2B14CF21F2E8D77E8795053FDC5797040E72F9B9
SHA-512:	829FCD965EDCFD5BD60F85FF9B1180A8472D39D9C09A30EC782A29C1F160A0CDE4BA5250FF0A47310640CA541E0CF3EDA4CFB4E76440BAA0EA8D5EA97C91370D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.0.1.2.4.4.3.5.6.3.3.0.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.0.1.2.4.4.4.8.2.6.3.2.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.0.3.b.f.1.7.d.-.4.e.1.a.-.4.0.9.e.-.8.3.a.e.-.3.b.c.1.c.c.2.0.5.2.f.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.1.a.0.2.3.5.-.3.6.6.a.-.4.4.6.7.-.8.3.d.7.-.4.4.8.b.1.9.c.3.f.d.a.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.a.m.s.u.n.g._.D.r.i.v.e.r._.I.n.s.t.a.l.l.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.a.m.s.u.n.g._.D.r.i.v.e.r._.I.n.s.t.a.l.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.d.0.-.0.0.0.1.-.0.0.1.7.-.e.1.c.6.-.b.7.5.8.6.a.9.2.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.9.6.c.e.8.7.0.6.c.4.b.5.b.3.0.6.7.4.0.6.8.e.8.5.5.9.5.f.e.4.8.0.0.0.0.0.0.0.0.!.0.0.0.0.2.7.1.b.f.d.a.c.f.b.f.8.6.4.a.5.a.4.2.e.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3508.tmp.mdmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 19 15:00:44 2024, 0x260521 type
Category:	dropped
Size (bytes):	9626230
Entropy (8bit):	3.6323378769533936
Encrypted:	false
SSDEEP:	98304:r2Qg+pPrCGGvI/qa6jPW4wRCmnHPqYaFozy/:2BmnHyYaYy/
MD5:	1918906E12A8CE66B71ACCE2DFBD7F7F
SHA1:	ADDC953860B92C7D067D4F2F5F9193585C33E688
SHA-256:	5A0F3137FDB0E3701C6A88FFEFE7C99BBFC1AA241E5D33D2A055C041E67F8FFF
SHA-512:	864F019B47E168504F90984160D94AF889268243631428E96B7E4AECC3B781D2E607481353F06D060647C0BCC1333C8CE5EBB560DADDB33A216E26A78D2F79C2
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........."f!.&.................................l...l&...........&..........\|F......dO...0..........`.......8...........T...............DJ..........0L..................................................................eJ.......L......Lw......................T............."f.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38E1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8874
Entropy (8bit):	3.7050703525647086
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+tVbg6YE3i6CNgmfdbFprM89b+VKfFSqm:R6lXJ8e6YEy6ogmfdbx+YfF2
MD5:	951ED134794E45BD675F1C8DCA7B4DE7
SHA1:	1BCCA6DF83BEB427383395646A086BAD477D2AD5
SHA-256:	511DB32EE7DCE4A608329F86ED7EF9B0CE62FA49E3B71AB8558D0E235230B339
SHA-512:	369643092E839A8B1CA1328562F637A8B5F9DCAAEE21C11E63E1D575952B7737CF5956089E03D6725D38BD8EAF998D623C85DABF69CBAAE9E39ED2CE61F6E7A0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.5.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER394F.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4848
Entropy (8bit):	4.5306134415254675
Encrypted:	false
SSDEEP:	48:cvIwWl8zs/Jg771I9t6rWda80ayYm8M4J4j2nF/Qyq85ElW8c3vnSoSxod:uIjfhI7a7dljJ3QfcaTOd
MD5:	7817A2D847C9603AA0A2545F5EC6DC20
SHA1:	28D9331035BBB3D463C09F3A1353CA22364331EA
SHA-256:	D9C29B8663BD3E5C6882F9EF4337353947BD3A87172A443F95BD7834E2314109
SHA-512:	3ECFCFDDD33E838899DB7AD46338A734DDF53A7986216EBDAFF7E245F6D9836C493B993A7FDC7C4484D395B328FF26B30600C01AB5A8C4900BA88FB88C840F41
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="286923" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.531123708755197
Encrypted:	false
SSDEEP:	6144:RC0egXHGcrp1Xc7dzUx0DhV0HaHLmmOHsxiQbDYSSBRtu8ZmvckxiBIuNRAW39K:1ezphLYsx5bDYFgXhsmqRv
MD5:	894A2492CC19B45C0A6170D6C0466F49
SHA1:	3AF211C76608543CBBC047D60951421EFF97051E
SHA-256:	F75D556D92508DF486B1CB84174E82233D5722432BCDE3333B5C27866A6E31C0
SHA-512:	1F5CAAFF01BBD4B940FF8EF21981C49A5BCE7706307A5D9025C1B77CF7B8DC336C86EB1F5DF02556D1FAEE765B9F817983A7EAB25394659B3465B7EF5B513CAF
Malicious:	false
Reputation:	low
Preview:	regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.k.Yj...............................................................................................................................................................................................................................................................................................................................................B..m........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.995785559896405
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	S34C65xU.exe
File size:	3'593'752 bytes
MD5:	1cd84bbd0b0dc7c19bedc0f5d292070b
SHA1:	68840931dfaf6652cec3165b79de3daa9c100b64
SHA256:	58ec960ce6f2f0c2f04fb70915767bb2caebf6a7b63411e92fbee6cc9e9bbad7
SHA512:	20770f984a41954ede2643cb9c795e5ad0a2bfb1b09c9425b4ae3f1b786e81be4a687934186b750d8d2f885726df3c5bf55837de903c3a6e1b38ccb0dc231fe4
SSDEEP:	98304:a5mYPP6dvNQFXgvfATgxunBs/RTvyLGRISVaxA4ESiA8Y:l46dIQ8BspT66RPayA18Y
TLSH:	88F5333095C8EC05E03B267449A94BB29262CDC4ED2ADC12362D3DC8ED7E67B9D136F5
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..i=.}:=.}:=.}:...:<.}:4..:!.}:4..:..}:4..:..}:=.\|:..}:4..:6.}:4..:..}:#..:<.}:4..:<.}:Rich=.}:........PE..L......]...........

File Icon


Icon Hash:	962b59d8292d3953

Static PE Info

General

Entrypoint:	0x4873b0
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D9A8F18 [Mon Oct 7 01:04:24 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	4422cd285129af661d70fbc1279af032

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	10/12/2021 01:00:00 08/01/2025 00:59:59
Subject Chain	CN="Samsung Electronics CO., LTD.", O="Samsung Electronics CO., LTD.", L=Suwon-si, S=Gyeonggi-Do, C=KR, SERIALNUMBER=130111-0006246, OID.1.3.6.1.4.1.311.60.2.1.1=Suwon-si, OID.1.3.6.1.4.1.311.60.2.1.2=Gyeonggi-do, OID.1.3.6.1.4.1.311.60.2.1.3=KR, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	BA778A10518E1A503A80E58BDF9D8A88
Thumbprint SHA-1:	A2CF6441659C71F58ABCAFFA7063AC444B575462
Thumbprint SHA-256:	F8BA472F803A84B8D15DDD555625C1E30C29D05141316D892FD107C519236B0E
Serial:	02B39B4EBDBAEF8A7D5509C8C58813C3

Entrypoint Preview

Instruction
pushad
mov esi, 00459000h
lea edi, dword ptr [esi-00058000h]
push edi
jmp 00007F04A8C94F3Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F04A8C94F1Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F04A8C94F3Dh
jne 00007F04A8C94F5Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F04A8C94F51h
dec eax
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F04A8C94F06h
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F04A8C94F84h
xor ecx, ecx
sub eax, 03h
jc 00007F04A8C94F43h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F04A8C94FA7h
sar eax, 1
mov ebp, eax
jmp 00007F04A8C94F3Dh
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F04A8C94EFEh
inc ecx
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F04A8C94EF0h
add ebx, ebx
jne 00007F04A8C94F39h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F04A8C94F21h
jne 00007F04A8C94F3Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F04A8C94F16h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F04A8C94F40h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x95c0c	0x188	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0xdc0c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x36ac18	0x2a00
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x87558	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x58000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x59000	0x2f000	0x2e600	09c3f36f2fddf096caf4ff5e5d345a17	False	0.9848645973719676	data	7.9331856398945595	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x88000	0xe000	0xde00	685172bbaff39ce28a95280b7ee0ff0e	False	0.7449852195945946	data	7.004750731092597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x8850c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Korean	North Korea	0.4914712153518124
RT_ICON	0x8850c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Korean	South Korea	0.4914712153518124
RT_ICON	0x893b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Korean	North Korea	0.651173285198556
RT_ICON	0x893b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Korean	South Korea	0.651173285198556
RT_ICON	0x89c64	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Korean	North Korea	0.37283236994219654
RT_ICON	0x89c64	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Korean	South Korea	0.37283236994219654
RT_ICON	0x8a1d0	0x7965	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Korean	North Korea	0.9906039836535058
RT_ICON	0x8a1d0	0x7965	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Korean	South Korea	0.9906039836535058
RT_ICON	0x91b3c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Korean	North Korea	0.3975103734439834
RT_ICON	0x91b3c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Korean	South Korea	0.3975103734439834
RT_ICON	0x940e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Korean	North Korea	0.43550656660412757
RT_ICON	0x940e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Korean	South Korea	0.43550656660412757
RT_ICON	0x95194	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Korean	North Korea	0.4122340425531915
RT_ICON	0x95194	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Korean	South Korea	0.4122340425531915
RT_DIALOG	0x7c5e0	0x2b0	data	English	United States	1.0159883720930232
RT_DIALOG	0x7c890	0x29c	data	Korean	North Korea	1.0164670658682635
RT_DIALOG	0x7c890	0x29c	data	Korean	South Korea	1.0164670658682635
RT_DIALOG	0x7cb2c	0x148	data	English	United States	1.0335365853658536
RT_DIALOG	0x7cc74	0x118	data	Korean	North Korea	1.0392857142857144
RT_DIALOG	0x7cc74	0x118	data	Korean	South Korea	1.0392857142857144
RT_DIALOG	0x7cd8c	0x302	data	English	United States	1.0142857142857142
RT_DIALOG	0x7d090	0x2ee	data	Korean	North Korea	1.0146666666666666
RT_DIALOG	0x7d090	0x2ee	data	Korean	South Korea	1.0146666666666666
RT_DIALOG	0x7d380	0x190	data	English	United States	1.0275
RT_DIALOG	0x7d510	0x170	data	Korean	North Korea	1.0298913043478262
RT_DIALOG	0x7d510	0x170	data	Korean	South Korea	1.0298913043478262
RT_STRING	0x7d680	0x260	data	English	United States	1.018092105263158
RT_STRING	0x7d8e0	0x182	data	Korean	North Korea	1.028497409326425
RT_STRING	0x7d8e0	0x182	data	Korean	South Korea	1.028497409326425
RT_STRING	0x7da64	0x1c0	BIOS (ia32) ROM Ext. (68*512)	English	United States	1.0245535714285714
RT_STRING	0x7dc24	0x150	IRIS Showcase file - version 8	Korean	North Korea	1.0327380952380953
RT_STRING	0x7dc24	0x150	IRIS Showcase file - version 8	Korean	South Korea	1.0327380952380953
RT_STRING	0x7dd74	0x1d2	data	English	United States	1.0236051502145922
RT_STRING	0x7df48	0x15a	data	Korean	North Korea	1.0317919075144508
RT_STRING	0x7df48	0x15a	data	Korean	South Korea	1.0317919075144508
RT_STRING	0x7e0a4	0x3d0	data	English	United States	1.0112704918032787
RT_STRING	0x7e474	0x262	data	Korean	North Korea	1.018032786885246
RT_STRING	0x7e474	0x262	data	Korean	South Korea	1.018032786885246
RT_STRING	0x7e6d8	0x266	data	English	United States	0.993485342019544
RT_STRING	0x7e940	0x194	data	Korean	North Korea	1.0272277227722773
RT_STRING	0x7e940	0x194	data	Korean	South Korea	1.0272277227722773
RT_GROUP_ICON	0x95600	0x68	data	Korean	North Korea	0.7019230769230769
RT_GROUP_ICON	0x95600	0x68	data	Korean	South Korea	0.7019230769230769
RT_VERSION	0x9566c	0x32c	data	Korean	North Korea	0.4642857142857143
RT_VERSION	0x9566c	0x32c	data	Korean	South Korea	0.4642857142857143
RT_MANIFEST	0x9599c	0x26e	ASCII text, with CRLF line terminators	English	United States	0.5176848874598071

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
COMDLG32.dll	GetOpenFileNameW
SHELL32.dll	SHGetMalloc
SHLWAPI.dll	PathCompactPathExW
USER32.dll	SetTimer

Possible Origin

Language of compilation system	Country where language is spoken	Map
Korean	North Korea
Korean	South Korea
English	United States

Target ID:	0
Start time:	17:00:40
Start date:	19/04/2024
Path:	C:\Users\user\Desktop\S34C65xU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\S34C65xU.exe"
Imagebase:	0x400000
File size:	3'593'752 bytes
MD5 hash:	1CD84BBD0B0DC7C19BEDC0F5D292070B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:00:41
Start date:	19/04/2024
Path:	C:\Driver\Samsung_Driver_Installer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Driver\Samsung_Driver_Installer.exe"
Imagebase:	0x2e0000
File size:	3'338'752 bytes
MD5 hash:	15770FC2AC6D46F841CB5B8E3C453F32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:00:43
Start date:	19/04/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 4560 -s 1800
Imagebase:	0x7ff7ea7c0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	38

Executed Functions

Function 00405E69 Relevance: 54.7, APIs: 27, Strings: 4, Instructions: 495
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00405E73
GetVersion.KERNEL32(0000022C,0040507D,?,?), ref: 00405E96
MessageBoxW.USER32(00000000,?,ALZip Self-Extractor,00000014), ref: 00405ECA
PostMessageW.USER32(?,00000111,00000001,00000000), ref: 004060F7
GetDlgItem.USER32(?,000003E9), ref: 0040611D
SendMessageW.USER32(00000000,00000402,00000064,00000000), ref: 00406128
GetDlgItem.USER32(?,000003F0), ref: 00406134
SetWindowTextW.USER32(?,?), ref: 00406168
SetWindowTextW.USER32(?,?), ref: 004061E7
GetDlgItem.USER32(?,000003F1), ref: 0040620B
ShowWindow.USER32(00000000,00000000), ref: 00406211
GetDlgItem.USER32(?,00000066), ref: 0040621F
ShowWindow.USER32(00000000,00000000), ref: 00406223
GetDlgItem.USER32(?,00000002), ref: 00406231
SetWindowTextW.USER32(?,?), ref: 00406269
SetFocus.USER32(?), ref: 00406285
ShowWindow.USER32(?,00000006,?,?,?,?,?, pE,?), ref: 004063A0
KiUserCallbackDispatcher.NTDLL(?,00000000), ref: 004063AF

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

EnableWindow.USER32(?,00000001), ref: 00406420
ShowWindow.USER32(?,00000009), ref: 0040642E
GetDlgItem.USER32(?,000003EB), ref: 00406491
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0040649B
ShellExecuteW.SHELL32(?,open,00000000,00000000,-00000008,0000000A), ref: 004064DF
SetWindowTextW.USER32(?,?), ref: 00406520
EnableWindow.USER32(?,00000000), ref: 0040652D
SetTimer.USER32(?,00000000,000000C8,00000000), ref: 00406540
PostMessageW.USER32(?,00000111,00000001,00000000), ref: 0040656E

Strings

pE, xrefs: 00406332, 00406344, 00406352, 00406338
open, xrefs: 004064D4
ALZip Self-Extractor, xrefs: 00405EC3
\, xrefs: 00405F91

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Window$Item$Message$ShowText$EnableH_prolog3_PostSend$CallbackDispatcherExecuteFocusLoadShellStringTimerUserVersion_memset
String ID: pE$ALZip Self-Extractor$\$open
API String ID: 268777293-2346426086
Opcode ID: 9d441dc41f803611898e77d6aad1cbc59ddd49c8217cf285c92eb2eadffc418c
Instruction ID: cc1059a92505a80de70d0d8f4cb0fe5d80e5bc79c66f50ec544396aea2430fb7
Opcode Fuzzy Hash: 9d441dc41f803611898e77d6aad1cbc59ddd49c8217cf285c92eb2eadffc418c
Instruction Fuzzy Hash: D1225C71D40228AADB21EBA1CD45BDEBB74AF04304F1141AAF509771E2CB786F85CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00408E7F Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 75
synchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00408E89
_memset.LIBCMT ref: 00408EA4
ShellExecuteExW.SHELL32(0000003C), ref: 00408EE3
WaitForSingleObject.KERNEL32(?,00000046,00000001,?,00457018,00000000), ref: 00408EFD
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00408F2B
WaitForSingleObject.KERNEL32(?,00000046,?,00457018,00000000), ref: 00408F36
CloseHandle.KERNEL32(?,?,00457018,00000000), ref: 00408F43

Strings

<, xrefs: 00408EB5
@, xrefs: 00408ED9
runas, xrefs: 00408EC7

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ObjectSingleWait$CloseExecuteHandleMessagePeekShell_memset_wcslen
String ID: <$@$runas
API String ID: 3525750456-2740324054
Opcode ID: c7e777b371a3860a1e3f1ffb60f4cb73ce8a7a8985138eb1abd09fb8c70c4fce
Instruction ID: d0eeba9bcc0888e005bffe79d6b1be73ace81fbf82a055ef6d242c2e9cf3c5c2
Opcode Fuzzy Hash: c7e777b371a3860a1e3f1ffb60f4cb73ce8a7a8985138eb1abd09fb8c70c4fce
Instruction Fuzzy Hash: E8215CB1C01259AFDB10DFE4CD85ADEBBBDAF08344F10043AE541BB291EB799E458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041082C Relevance: 10.7, Strings: 8, Instructions: 704COMMON

Download Yara Rule

Strings

too many length or distance symbols, xrefs: 00410898
invalid bit length repeat, xrefs: 00410B1F, 00410B2E
invalid distance code, xrefs: 00410EB3
invalid distance too far back, xrefs: 00410F25
invalid distances set, xrefs: 00410BC2
invalid code lengths set, xrefs: 00410944
invalid literal/lengths set, xrefs: 00410B7E
invalid literal/length code, xrefs: 00410D57

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID: invalid bit length repeat$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
API String ID: 0-3031085480
Opcode ID: a0a833dce37de94e80a67d70c1c8cd461ad68bf1221746715794e4e39db057ed
Instruction ID: 26a27df49111651915cd508ad4975524c52be54301a2cbdef2cd151357077bbf
Opcode Fuzzy Hash: a0a833dce37de94e80a67d70c1c8cd461ad68bf1221746715794e4e39db057ed
Instruction Fuzzy Hash: 0E529A71A006099FCB28CF68C8906EEBBF1FF88305F14456ED49297781D7B8AAC1DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004136CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(Normaliz.dll), ref: 004136DA
GetProcAddress.KERNEL32(00000000,IsNormalizedString), ref: 004136F5
GetProcAddress.KERNEL32(NormalizeString), ref: 00413707

Strings

Normaliz.dll, xrefs: 004136D5
NormalizeString, xrefs: 004136F7
IsNormalizedString, xrefs: 004136EF

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: IsNormalizedString$Normaliz.dll$NormalizeString
API String ID: 2238633743-2967334653
Opcode ID: 05a5eb30bf108b26600be0f495ddc2e17491d709c6336940d47c8fafe258bcc9
Instruction ID: e84024ac8a126c7ab34af55295ff9b7b7eb96dd235dd708817b1fedef6d6b7f1
Opcode Fuzzy Hash: 05a5eb30bf108b26600be0f495ddc2e17491d709c6336940d47c8fafe258bcc9
Instruction Fuzzy Hash: 00E0C2B5E12360AB8B215FA4AE4455A3AA4A208B11311453BEC01933A1F3F898808B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00410073 Relevance: 6.8, Strings: 5, Instructions: 571COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 004101F4
unknown header flags set, xrefs: 00410243
header crc mismatch, xrefs: 00410626
invalid window size, xrefs: 004101BD
unknown compression method, xrefs: 00410196, 00410232

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
API String ID: 0-3633268661
Opcode ID: 9a341add5ceaa01a9590b016c24e716d4c66623b53e3b8af38635e7ff3e94308
Instruction ID: d863c9de8348281ca3f2c46aec38538ee334362c2d0949941e1f87975930f5d0
Opcode Fuzzy Hash: 9a341add5ceaa01a9590b016c24e716d4c66623b53e3b8af38635e7ff3e94308
Instruction Fuzzy Hash: B5326B70A00305DFDB24CF69C4846AABBF1BF48300F24866ED99597791D7B8EAC5CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004055B5 Relevance: 61.7, APIs: 33, Strings: 2, Instructions: 405
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004055BF
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 004055DB
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 004055E8
SetWindowTextW.USER32(?,?), ref: 0040561B
_wcslen.LIBCMT ref: 004056CB
_memset.LIBCMT ref: 004057CB
SHGetSpecialFolderPathW.SHELL32(?,?,00000005,00000001), ref: 004057E4
GetDlgItem.USER32(?,000003E8), ref: 0040586C
SetWindowTextW.USER32(00000000,?), ref: 00405885
LoadIconW.USER32(00000000,00000065), ref: 0040589F
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004058B9
GetDlgItem.USER32(?,000003E9), ref: 004058C6
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004058DB
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004058EC
ShowWindow.USER32(?,00000000), ref: 004058FC
GetDlgItem.USER32(?,000003F0), ref: 00405909
SetWindowTextW.USER32(?,?), ref: 0040593E
GetDlgItem.USER32(?,000003F1), ref: 0040594F
ShowWindow.USER32(00000000,00000000), ref: 00405954
GetDlgItem.USER32(?,000003EC), ref: 00405961

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

SetWindowTextW.USER32(?,?), ref: 004059BA
GetDlgItem.USER32(?,000003ED), ref: 004059CB
SetWindowTextW.USER32(?,?), ref: 00405A24
GetDlgItem.USER32(?,00000001), ref: 00405A32
SetWindowTextW.USER32(?,?), ref: 00405A8B
GetDlgItem.USER32(?,000003EA), ref: 00405A9C
SetWindowTextW.USER32(?,?), ref: 00405AF5
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00405B0A
GetDlgItem.USER32(?,000003EB), ref: 00405B1B
SetWindowTextW.USER32(?,?), ref: 00405B75
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00405BCF
SetFocus.USER32(?), ref: 00405BFB
PostMessageW.USER32(?,00000111,000003ED,00000000), ref: 00405C1A

Strings

%DESTDIR%\, xrefs: 004056C6
%DESTDIR%, xrefs: 0040568E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Window$Item$Text$Message$Send$CriticalH_prolog3_LoadSectionShow_memset$EnterFocusFolderIconLeavePathPostSpecialString_wcslen
String ID: %DESTDIR%$%DESTDIR%\
API String ID: 4261140470-3507764503
Opcode ID: 4fba22ee684a5f5929baaaf7a6a334e100aa1e28078a7d2bfdd56a9f7f74f4e5
Instruction ID: fcb14e1ca9d3133d1e6d217415730d45d0a2b9df504bd0eb91512e69d19bb724
Opcode Fuzzy Hash: 4fba22ee684a5f5929baaaf7a6a334e100aa1e28078a7d2bfdd56a9f7f74f4e5
Instruction Fuzzy Hash: 64025D70D00A68AADF20EB65CD55BDEBB74AB44306F4040EAF608771D2DA786F84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040748D Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 382
windowthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00407497
GetDlgItem.USER32(?,000003E8), ref: 004074B0
GetDlgItem.USER32(?,000003EC), ref: 004074BE
GetDlgItem.USER32(?,000003F0), ref: 004074CC
GetDlgItem.USER32(?,000003F1), ref: 004074DA
GetDlgItem.USER32(?,000003E9), ref: 004074E8
GetDlgItem.USER32(?,000003EA), ref: 004074F6
GetDlgItem.USER32(?,000003ED), ref: 00407504
GetDlgItem.USER32(?,00000001), ref: 0040750F
_memset.LIBCMT ref: 0040752F
GetWindowTextW.USER32(?,?,00000208), ref: 00407549
MessageBoxW.USER32(?,?,ALZip Self-Extractor,00000040), ref: 004075A2
GetDriveTypeW.KERNELBASE(?), ref: 0040767C
MessageBoxW.USER32(?,?,ALZip Self-Extractor,00000040), ref: 00407766
MessageBoxW.USER32(?,?,ALZip Self-Extractor,00000040), ref: 004076E2

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

SetWindowTextW.USER32(?,?), ref: 0040782D
SetWindowTextW.USER32(?,?), ref: 00407880
SetWindowTextW.USER32(?,?), ref: 004078D3
SetWindowTextW.USER32(?,?), ref: 00407932
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00407953
ShowWindow.USER32(?,00000000), ref: 0040796C
ShowWindow.USER32(?,00000000), ref: 00407975
ShowWindow.USER32(?,00000005), ref: 0040797F

Part of subcall function 00402D5E: _wcslen.LIBCMT ref: 00402D62

ShowWindow.USER32(?,00000005), ref: 00407989

Part of subcall function 0040274D: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00402754
Part of subcall function 0040274D: ResetEvent.KERNEL32(?,00406579), ref: 0040276A
Part of subcall function 0040274D: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00402779

Part of subcall function 00401E56: __EH_prolog3_GS.LIBCMT ref: 00401E60
Part of subcall function 00401E56: _memset.LIBCMT ref: 00401E9E
Part of subcall function 00401E56: GetModuleFileNameW.KERNEL32(?,00000104,?,00000234,004021EF), ref: 00401EB8

ResumeThread.KERNELBASE(00000000,?,?,?,?,?,00000085,?,?,?,?,?,?,?,0045702C,?), ref: 00407A83

Strings

ALZip Self-Extractor, xrefs: 0040759B, 004076D6, 0040775F

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Window$Item$Text$MessageShow$H_prolog3__memset$CriticalSection$DriveEnterEventFileLeaveLoadModuleNameResetResumeSendStringThreadType_wcslen
String ID: ALZip Self-Extractor
API String ID: 1713260999-1641417939
Opcode ID: 5c57500ac0e20abf3e8649519d610568579ad055f0b1b49c70d5012d5bb13cd5
Instruction ID: 5a6b336e374d7c983e5d455a7660ff125c038b7151c9c2b3ecf8c06a6090e45c
Opcode Fuzzy Hash: 5c57500ac0e20abf3e8649519d610568579ad055f0b1b49c70d5012d5bb13cd5
Instruction Fuzzy Hash: 17F14D31D402289BDB21EB65CD49BDDBBB8AF44704F4000EAE508771A1CBB86F85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004094F1 Relevance: 36.9, APIs: 2, Strings: 19, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A3E9: __EH_prolog3.LIBCMT ref: 0041A3F0
Part of subcall function 0041A3E9: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A463
Part of subcall function 0041A3E9: ~_Task_impl.LIBCPMT ref: 0041A46E

Part of subcall function 0041A8ED: __EH_prolog3.LIBCMT ref: 0041A8F4
Part of subcall function 0041A8ED: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A933
Part of subcall function 0041A8ED: ~_Task_impl.LIBCPMT ref: 0041A93F

Part of subcall function 0041A94E: __EH_prolog3.LIBCMT ref: 0041A955
Part of subcall function 0041A94E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A9CF
Part of subcall function 0041A94E: ~_Task_impl.LIBCPMT ref: 0041A9DA

Part of subcall function 0041A9F7: __EH_prolog3.LIBCMT ref: 0041A9FE
Part of subcall function 0041A9F7: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AA48
Part of subcall function 0041A9F7: ~_Task_impl.LIBCPMT ref: 0041AA53

~_Task_impl.LIBCPMT ref: 00409739

Part of subcall function 0041A356: __EH_prolog3.LIBCMT ref: 0041A35D
Part of subcall function 0041A356: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A37C

~_Task_impl.LIBCPMT ref: 00409747

Strings

AES-128 bit, xrefs: 004096FE
OPTIMUM, xrefs: 0040958B
.sys, .com, , xrefs: 004095B4
BZ2, xrefs: 0040960F
LEA-256 bit, xrefs: 00409725
LZMA, xrefs: 004095D8, 004095DD, 0040963E
Store, xrefs: 004095F4, 0040969C, 004096A1, 004096E2
Deflate, xrefs: 00409595, 00409674, 004096CC
Nocomp, xrefs: 004096E3
Maximum, xrefs: 0040963F
.ppt, .xls, .doc, .ani, .ico, .cur, .pcx, .emf, , xrefs: 004095CF
CS_PRIORITY, xrefs: 0040966A
.h, .c, .java, .cpp, .txt, .pas, .xml, .html, .htm, .bat, .1st, .ans, .asc, .ascii, .bbs, .charset, .dbt, .err, .faq, .hs, .klg, ., xrefs: 00409606
AZO, xrefs: 004095BD
AES-256 bit, xrefs: 0040970B
Zip 2.0 Compatible, xrefs: 004096F1
.alz, .arc, .arj, .bz, .bz2, .cab, .egg, .ice, .ear, .war, .gz, .ha, .jar, .lha, .lzh, .pak, .rar, .tbz, .tbz2, .tgz, .7z, .z, .zi, xrefs: 004095EB, 00409693
LEA-128 bit, xrefs: 00409718
Normal, xrefs: 004096D1

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$Task_impl$BaseBase::~Concurrency::details::H_prolog3
String ID: .alz, .arc, .arj, .bz, .bz2, .cab, .egg, .ice, .ear, .war, .gz, .ha, .jar, .lha, .lzh, .pak, .rar, .tbz, .tbz2, .tgz, .7z, .z, .zi$.h, .c, .java, .cpp, .txt, .pas, .xml, .html, .htm, .bat, .1st, .ans, .asc, .ascii, .bbs, .charset, .dbt, .err, .faq, .hs, .klg, .$.ppt, .xls, .doc, .ani, .ico, .cur, .pcx, .emf, $.sys, .com, $AES-128 bit$AES-256 bit$AZO$BZ2$CS_PRIORITY$Deflate$LEA-128 bit$LEA-256 bit$LZMA$Maximum$Nocomp$Normal$OPTIMUM$Store$Zip 2.0 Compatible
API String ID: 3832468939-677804057
Opcode ID: 2d07940f9139a36b08c5ee2b796759531e76b633ae26cf90965b5aaaa70d99c1
Instruction ID: ef5c949d7569f891b1ad2d16873632070f51d1dc7eda7def5af14398d19d1f3f
Opcode Fuzzy Hash: 2d07940f9139a36b08c5ee2b796759531e76b633ae26cf90965b5aaaa70d99c1
Instruction Fuzzy Hash: 43514AB07D534476D110B7738C47F9F69588B40F18F10091F7A65B61C3EAAC99A441AF

Uniqueness

Uniqueness Score: -1.00%

Function 00401F09 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 227
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00401F10

Part of subcall function 00401E56: __EH_prolog3_GS.LIBCMT ref: 00401E60
Part of subcall function 00401E56: _memset.LIBCMT ref: 00401E9E
Part of subcall function 00401E56: GetModuleFileNameW.KERNEL32(?,00000104,?,00000234,004021EF), ref: 00401EB8

CreateFileW.KERNELBASE(:O@,80000000,00000001,00000000,00000003,00000080,00000000,00000064,00404F3A), ref: 00401F3F
SetFilePointer.KERNELBASE(00000000,00000000,00000000), ref: 00401F61
ReadFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 00401F79
CloseHandle.KERNEL32(?), ref: 00401F86
ReadFile.KERNELBASE(00000000,?,00000004,00000004,00000000), ref: 00401FD1
ReadFile.KERNEL32(00000000,?,00000002,00000004,00000000), ref: 00401FE8
ReadFile.KERNEL32(00000000,?,00000004,00000002,00000000), ref: 00401FFC
_memset.LIBCMT ref: 00402041
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00402055

Part of subcall function 004084D8: __EH_prolog3_GS.LIBCMT ref: 004084DF
Part of subcall function 004084D8: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000058,004020A6,?,?), ref: 0040852A
Part of subcall function 004084D8: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,?), ref: 00408568

Part of subcall function 00402D13: char_traits.LIBCPMT ref: 00402D38

ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00402133
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00402150
CloseHandle.KERNEL32(?), ref: 00402179

Strings

:O@, xrefs: 00401F26, 00401F2B, 00401F3E
EGGA, xrefs: 00401FA5

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$Read$CloseH_prolog3_$ByteCharHandleMultiWide_memset$ChangeCreateFindModuleNameNotificationPointerchar_traits
String ID: :O@$EGGA
API String ID: 1485617443-2676591978
Opcode ID: 4c3cb92852db6974c16d4e83deafbbc2021d6ba3a5e95525f8b02e855bf9d488
Instruction ID: 315b6d5a364f6f68c0df25ec470265eeea3d68fb759409c8e58ad8c34a1c3c2b
Opcode Fuzzy Hash: 4c3cb92852db6974c16d4e83deafbbc2021d6ba3a5e95525f8b02e855bf9d488
Instruction Fuzzy Hash: C4815A71D00208AEDF11EBD4CD89AEEB7B8EB44704F10403AE601BB1E5D7B85E49CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004044FA Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 00404504
_memset.LIBCMT ref: 0040456E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000024,00000001), ref: 00404583

Part of subcall function 00402D5E: _wcslen.LIBCMT ref: 00402D62

_memset.LIBCMT ref: 004045EA
GetTempPathW.KERNEL32(00000104,?,00000001,00000000,?), ref: 004045FE
_memset.LIBCMT ref: 00404655
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000028,00000001,?,?,?,00000001,00000000,?), ref: 0040466A
_memset.LIBCMT ref: 004046CF
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000001,00000001,00000000,?,?,?,?,00000001,00000000,?), ref: 004046E4
_memset.LIBCMT ref: 00404749
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000026,00000001,?,?,0045702C,00000001,00000000,?,?,?,?,00000001,00000000,?), ref: 0040475E
_memset.LIBCMT ref: 004047CA
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000001,00000001,00000000,?,?,?,0045702C,00000001,00000000,?), ref: 004047DD

Strings

DH@, xrefs: 00404517

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Path_memset$FolderSpecial$H_prolog3_Temp_wcslen
String ID: DH@
API String ID: 1153633231-3333322899
Opcode ID: 7d132de6c2798901d98bbcbea4a9c7bf4dfefcf696c47455a75442a19b3741d4
Instruction ID: 4932e0c127ac1e4e43860afbc6adc43b9c35df062d3fe2721c120fc9494f3624
Opcode Fuzzy Hash: 7d132de6c2798901d98bbcbea4a9c7bf4dfefcf696c47455a75442a19b3741d4
Instruction Fuzzy Hash: 429116B1900218AADB10EB51DD46BDD77B8AF04708F4441E6F708BB1D2D7B89B49CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403925 Relevance: 24.3, APIs: 16, Instructions: 281
windowsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(000000FF,F14CC7D6), ref: 00403959
PostMessageW.USER32(?,000004CE,00000000,00000000), ref: 00403A63
~_Task_impl.LIBCPMT ref: 00403BF0
~_Task_impl.LIBCPMT ref: 00403C38
~_Task_impl.LIBCPMT ref: 00403C46
PostMessageW.USER32(?,000004CB,00000000,00000000), ref: 00403C94
~_Task_impl.LIBCPMT ref: 00403CA3
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00403CB9
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00403CCA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Task_impl$CriticalMessagePostSection$EnterLeaveObjectSingleWait
String ID:
API String ID: 2498937983-0
Opcode ID: 19ad5cd396bb67095a7883a4f5caa5f134ebf47b8cab245b9b587e16d3d37764
Instruction ID: 9b926f8f2c56e41596d8b9d682cf831b512f0bc593295f264a8243cf9ef7ab9e
Opcode Fuzzy Hash: 19ad5cd396bb67095a7883a4f5caa5f134ebf47b8cab245b9b587e16d3d37764
Instruction Fuzzy Hash: 22B125716087009FD710DF25D841A2ABBE8EF48319F10892EF556A73E2DB78E944CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004052D6 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004052E0
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 004052FD
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00405316
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00405319
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 0040532C
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 0040539F
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 004053B3
GetDlgItem.USER32(?,000003E9), ref: 004053C3
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00405439
GetDlgItem.USER32(?,000003F0), ref: 004054A7
SetWindowTextW.USER32(00000000,?), ref: 004054B7

Strings

~}3, xrefs: 004052FF, 004053A8
~}3, xrefs: 0040531B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Item$H_prolog3_MessageSendTextWindow
String ID: ~}3$~}3
API String ID: 867313336-611890143
Opcode ID: 21ee13c3576bda6a716c4e560b5126dbcdaa066405d0849d8954a1ec7af3fb2a
Instruction ID: 5de49d1e40048030222d03945dc8526da010badb395f68391567fa4b1f6c8789
Opcode Fuzzy Hash: 21ee13c3576bda6a716c4e560b5126dbcdaa066405d0849d8954a1ec7af3fb2a
Instruction Fuzzy Hash: EC71F575E002089FCB04DFA9D981ADCBBF5BB48315F20802AE909BB395DB786945CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00402199 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 004021C4
_memset.LIBCMT ref: 004021DF

Part of subcall function 00401E56: __EH_prolog3_GS.LIBCMT ref: 00401E60
Part of subcall function 00401E56: _memset.LIBCMT ref: 00401E9E
Part of subcall function 00401E56: GetModuleFileNameW.KERNEL32(?,00000104,?,00000234,004021EF), ref: 00401EB8

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040220C
ReadFile.KERNELBASE(00000000,?,00000040,?,00000000), ref: 0040225E
CloseHandle.KERNEL32(00000000), ref: 0040226F
SetFilePointer.KERNELBASE(00000000,?,00000000,00000000), ref: 0040227E
ReadFile.KERNELBASE(00000000,?,000000F8,?,00000000), ref: 00402299
CloseHandle.KERNEL32(00000000), ref: 004022A8
ReadFile.KERNEL32(?,?,00000028,?,00000000), ref: 0040230A
FindCloseChangeNotification.KERNELBASE(?), ref: 00402323

Strings

PE, xrefs: 0040229B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$CloseRead_memset$Handle$ChangeCreateFindH_prolog3_ModuleNameNotificationPointer
String ID: PE
API String ID: 694830476-4258593460
Opcode ID: 074204a7431df1bf5982fb50f107c6f4bbe5868e4d3e5ddafc409ddf3a238516
Instruction ID: 35fc2df4358ee18656b6035cd1d6dedb407a42ec0ce3f276ddcaa0e2af90c602
Opcode Fuzzy Hash: 074204a7431df1bf5982fb50f107c6f4bbe5868e4d3e5ddafc409ddf3a238516
Instruction Fuzzy Hash: 92417171900218AFEB10DBA4DC85FFEB7B8EB48704F1044AAE609B71D2D7745E898F65

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8FD Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0040A904

Part of subcall function 00416CA1: ~_Task_impl.LIBCPMT ref: 00416CBA

~_Task_impl.LIBCPMT ref: 0040A9FB
~_Task_impl.LIBCPMT ref: 0040A9B8

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0040A9AC

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

~_Task_impl.LIBCPMT ref: 0040AA35
~_Task_impl.LIBCPMT ref: 0040AA7D
~_Task_impl.LIBCPMT ref: 0040AA88
~_Task_impl.LIBCPMT ref: 0040AADD
~_Task_impl.LIBCPMT ref: 0040AAE9

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

Strings

Store, xrefs: 0040AA95

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$Task_impl$H_prolog3$BaseBase::~Concurrency::details::
String ID: Store
API String ID: 1430828601-1050048371
Opcode ID: b4ef5b7fa14370d02c226feaf57e1f71127470eec3434467e91cce022d4e2713
Instruction ID: 982f51e314e000b72ee753e09ae6319e261d1696898396379627665ef6ed30dd
Opcode Fuzzy Hash: b4ef5b7fa14370d02c226feaf57e1f71127470eec3434467e91cce022d4e2713
Instruction Fuzzy Hash: D1516070A04248EADF01EBA5C541BDDBBF5AF18308F14809EF405B72D2DB789E45DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00403D69 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 298
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041ED5B: __EH_prolog3.LIBCMT ref: 0041ED62

Part of subcall function 0043E277: _malloc.LIBCMT ref: 0043E291

PostMessageW.USER32(?,000004CA,00000000,00000000), ref: 00403EB2

Part of subcall function 00414059: __EH_prolog3.LIBCMT ref: 00414060

PostMessageW.USER32(?,000004CA,00000000,00000F00), ref: 00403F78
PostMessageW.USER32(?,000004CA,00000000,00000000), ref: 0040404F
_memset.LIBCMT ref: 00404111
~_Task_impl.LIBCPMT ref: 00404166
PostMessageW.USER32(?,000004CA,00000000,00000000), ref: 004041AB
~_Task_impl.LIBCPMT ref: 004041BD

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

Part of subcall function 00420560: __EH_prolog3.LIBCMT ref: 00420567

Strings

n@, xrefs: 00403DD9
%s%s, xrefs: 00404132

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3MessagePost$ContextExternalTask_impl$BaseBase::~Concurrency::details::_malloc_memset
String ID: %s%s$n@
API String ID: 2250645164-844107356
Opcode ID: f4f1879035ad31aa8c12a3ab06fd703ce4d88256ecdc5c6c7af98fcd4b3c4fb2
Instruction ID: 3a8053de4e13f2430c6136818b0e10ea3438fd862935a6b896e6a850e0634f67
Opcode Fuzzy Hash: f4f1879035ad31aa8c12a3ab06fd703ce4d88256ecdc5c6c7af98fcd4b3c4fb2
Instruction Fuzzy Hash: B0B1E7711083419BC720EF21C845BDFB7E8AF84709F10492FF989A7182DB389A45CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 0043E806 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___set_flsgetvalue.LIBCMT ref: 0043E80C

Part of subcall function 00442DFB: TlsGetValue.KERNEL32(?,0043E811), ref: 00442E04
Part of subcall function 00442DFB: __decode_pointer.LIBCMT ref: 00442E16
Part of subcall function 00442DFB: TlsSetValue.KERNEL32(00000000,0043E811), ref: 00442E25

___fls_getvalue@4.LIBCMT ref: 0043E817

Part of subcall function 00442DDB: TlsGetValue.KERNEL32(?,?,0043E81C,00000000), ref: 00442DE9

___fls_setvalue@8.LIBCMT ref: 0043E82A

Part of subcall function 00442E2F: __decode_pointer.LIBCMT ref: 00442E40

GetLastError.KERNEL32(00000000,?,00000000), ref: 0043E833
RtlExitUserThread.NTDLL(00000000), ref: 0043E83A
GetCurrentThreadId.KERNEL32 ref: 0043E840
__freefls@4.LIBCMT ref: 0043E860
__IsNonwritableInCurrentImage.LIBCMT ref: 0043E873

Strings

=LD, xrefs: 0043E865, 0043E86E, 0043E87D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritableUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
String ID: =LD
API String ID: 2030478265-4270795345
Opcode ID: 484643e575f2a2552a8f44eda2843362626d50ab085e9ad267e53bfb11a86578
Instruction ID: 7a9d2c08523e5e4711fd2e611a56f3ebdfc96b8ae7f7f4723f6f93f03617c589
Opcode Fuzzy Hash: 484643e575f2a2552a8f44eda2843362626d50ab085e9ad267e53bfb11a86578
Instruction Fuzzy Hash: F001FC74D016019BD7087F73D909A0E3BA8EF48349F25802FF40487262EA7CD442CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 0043E7FA Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 37
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004438E9: _doexit.LIBCMT ref: 004438F5

___set_flsgetvalue.LIBCMT ref: 0043E80C

Part of subcall function 00442DFB: TlsGetValue.KERNEL32(?,0043E811), ref: 00442E04
Part of subcall function 00442DFB: __decode_pointer.LIBCMT ref: 00442E16
Part of subcall function 00442DFB: TlsSetValue.KERNEL32(00000000,0043E811), ref: 00442E25

___fls_getvalue@4.LIBCMT ref: 0043E817

Part of subcall function 00442DDB: TlsGetValue.KERNEL32(?,?,0043E81C,00000000), ref: 00442DE9

___fls_setvalue@8.LIBCMT ref: 0043E82A

Part of subcall function 00442E2F: __decode_pointer.LIBCMT ref: 00442E40

GetLastError.KERNEL32(00000000,?,00000000), ref: 0043E833
RtlExitUserThread.NTDLL(00000000), ref: 0043E83A
GetCurrentThreadId.KERNEL32 ref: 0043E840
__freefls@4.LIBCMT ref: 0043E860
__IsNonwritableInCurrentImage.LIBCMT ref: 0043E873

Strings

=LD, xrefs: 0043E865, 0043E86E, 0043E87D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritableUser___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
String ID: =LD
API String ID: 3333014375-4270795345
Opcode ID: f856b85c8f657d2e7845bcc27df93fcd2439d04ca8401a42b7141206c22e966d
Instruction ID: 0c51c26575e3b3e8418aa6a8ee2583dd6d910df242756727730537b96355cd23
Opcode Fuzzy Hash: f856b85c8f657d2e7845bcc27df93fcd2439d04ca8401a42b7141206c22e966d
Instruction Fuzzy Hash: 8DF09670C0160297EF143BB3DD1E65F3A68AF08399F65042BF90183161EEBCD4418AAE

Uniqueness

Uniqueness Score: -1.00%

Function 0042F824 Relevance: 12.1, APIs: 8, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0042F82B
CreateFileW.KERNELBASE(?,?,00000004,00000000,00000003,08000000,00000000,?,?,?,?,?,?,00000044), ref: 0042F8A0
GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,00000044), ref: 0042F8BE
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000044), ref: 0042F8CF
CreateFileW.KERNEL32(?,?,00000004,00000000,00000002,00000000,00000000,?,?,?,?,?,?,00000044), ref: 0042F8E3
GetLastError.KERNEL32(?,?,?,?,?,?,00000044), ref: 0042F8F0
SetFileAttributesW.KERNEL32(?,00000004,?,?,?,?,?,?,00000044), ref: 0042F8FE

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$Attributes$Create$ErrorH_prolog3Last
String ID:
API String ID: 3939419778-0
Opcode ID: 888e731de5a133f32a9c7b1441f2660f27fe32b165df3aeb2163d56e2a30b4a8
Instruction ID: c1b6d76b6e0bb7013e57c2c8afd5d12284e460d9a87751ff3c1ace5f9f9b4ae4
Opcode Fuzzy Hash: 888e731de5a133f32a9c7b1441f2660f27fe32b165df3aeb2163d56e2a30b4a8
Instruction Fuzzy Hash: B741CF70900319ABDF109FA0DC45BAEBFB4FF04318F90463AF925A62A1C7795A49DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0040B250 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

APIs

~_Task_impl.LIBCPMT ref: 0040B407
~_Task_impl.LIBCPMT ref: 0040B43A
~_Task_impl.LIBCPMT ref: 0040B48A
~_Task_impl.LIBCPMT ref: 0040B496
~_Task_impl.LIBCPMT ref: 0040B568

Strings

, xrefs: 0040B331

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Task_impl
String ID:
API String ID: 3172761019-3916222277
Opcode ID: 9c6dea6744d61ff2b0a3c49b4d2ba2b511cc7a5450c3b3bb325e61df80de58b8
Instruction ID: 09548a517d716684e2d2dafdf42a77c6bc514044bea958211a1156aa3bccbe40
Opcode Fuzzy Hash: 9c6dea6744d61ff2b0a3c49b4d2ba2b511cc7a5450c3b3bb325e61df80de58b8
Instruction Fuzzy Hash: E1A15B715083819FC701EF69C880A9BBBE5FF84708F04096EF594A72A2C778D945CB9B

Uniqueness

Uniqueness Score: -1.00%

Function 00407E31 Relevance: 10.7, APIs: 7, Instructions: 180windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407B5D: __EH_prolog3_GS.LIBCMT ref: 00407B67
Part of subcall function 00407B5D: _wcslen.LIBCMT ref: 00407C7D

Part of subcall function 00417E3E: __EH_prolog3.LIBCMT ref: 00417E45

Part of subcall function 0040240B: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 0040241C
Part of subcall function 0040240B: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00402460

~_Task_impl.LIBCPMT ref: 00407FD1
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00408029
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00408044
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00408047
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00408057
SendMessageW.USER32(?,000004C9,00000000,00000000), ref: 00408064
~_Task_impl.LIBCPMT ref: 004080A6

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Task_impl$H_prolog3H_prolog3_MessageSend_wcslen
String ID:
API String ID: 3193948153-0
Opcode ID: b0a17ff658505b79a4ac5721b8c3e356988d358ae1b346c2fff1d38b23e06b19
Instruction ID: b9cb9b3349322690746e1a5f23698649cfac5f62f64b40bcac7deec653fa0886
Opcode Fuzzy Hash: b0a17ff658505b79a4ac5721b8c3e356988d358ae1b346c2fff1d38b23e06b19
Instruction Fuzzy Hash: 27715C719083419FC710DF65C880A9FBBE4BF89314F40492FF998A3291DB78A945CB5B

Uniqueness

Uniqueness Score: -1.00%

Function 00404FA9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

DialogBoxParamW.USER32(00000000,00000087,?,00406BF9,?), ref: 00405007
DialogBoxParamW.USER32(00000000,00000084,?,00406A0A,00000000), ref: 00405025

Part of subcall function 00401CEA: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00401CF2
Part of subcall function 00401CEA: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00401CFF

Strings

~}3, xrefs: 00405117

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalDialogParamSection$EnterLeave
String ID: ~}3
API String ID: 3085697989-2221931237
Opcode ID: 5834d5ccdfd5c29c5cc749e8ff1f8b77c102712633d67aa52e6a1383110c5871
Instruction ID: 778a5befaa6801f058060ee06ca4568f2298abe523b53aac0ce12a7946536d5a
Opcode Fuzzy Hash: 5834d5ccdfd5c29c5cc749e8ff1f8b77c102712633d67aa52e6a1383110c5871
Instruction Fuzzy Hash: 5141BF31A14E16ABDB106F649C19E6F3658FF05394F14043BF852B62D2DA3CD8119EEE

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405D87
_memset.LIBCMT ref: 00405DC5
PathCompactPathExW.SHLWAPI(?,?,00000028,00000000), ref: 00405DE7
GetDlgItem.USER32(?,000003F1), ref: 00405E19
SetWindowTextW.USER32(00000000,?), ref: 00405E36

Strings

%s (%d/%d), xrefs: 00405DFB

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Path$CompactH_prolog3_ItemTextWindow_memset
String ID: %s (%d/%d)
API String ID: 3563190175-953352955
Opcode ID: a9324dcaebaec56a8f23a944ac7e61a506aad89c0d2bea48290006b36e0a9594
Instruction ID: ba876197449a85af9009405313cd9773537dc1ed11e522f3876f58b9ab43e9b8
Opcode Fuzzy Hash: a9324dcaebaec56a8f23a944ac7e61a506aad89c0d2bea48290006b36e0a9594
Instruction Fuzzy Hash: 2C217C31940219ABDB10EB61CD8DBE9B774FF04705F5045EAF508BA0A1DB78AB85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0043E889 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0043E8BA
__calloc_crt.LIBCMT ref: 0043E8C6
__getptd.LIBCMT ref: 0043E8D3
CreateThread.KERNELBASE(?,?,0043E806,00000000,?,?), ref: 0043E90A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 0043E914
__dosmaperr.LIBCMT ref: 0043E92C

Part of subcall function 004402AD: __getptd_noexit.LIBCMT ref: 004402AD

Part of subcall function 0043E14D: __decode_pointer.LIBCMT ref: 0043E158

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: da391700652f45fe4b238581048e460af52c52fc0829828d1c31847ba6f09259
Instruction ID: 55a883f71d3ddd8d9b1422bad3292b9f188092b29ee0c436280b0da7c41105f6
Opcode Fuzzy Hash: da391700652f45fe4b238581048e460af52c52fc0829828d1c31847ba6f09259
Instruction Fuzzy Hash: 2111E272901206BFEB11BFA6DC4699F7BA5EF08324F20003FF50193291DA798D019B68

Uniqueness

Uniqueness Score: -1.00%

Function 00404EFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00404F17
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00404F24

Part of subcall function 00402199: _memset.LIBCMT ref: 004021C4
Part of subcall function 00402199: _memset.LIBCMT ref: 004021DF
Part of subcall function 00402199: CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040220C

MessageBoxW.USER32(00000000,?,ALZip Self-Extractor,00000010), ref: 00404F65

Part of subcall function 00401F09: __EH_prolog3_GS.LIBCMT ref: 00401F10
Part of subcall function 00401F09: CreateFileW.KERNELBASE(:O@,80000000,00000001,00000000,00000003,00000080,00000000,00000064,00404F3A), ref: 00401F3F
Part of subcall function 00401F09: SetFilePointer.KERNELBASE(00000000,00000000,00000000), ref: 00401F61
Part of subcall function 00401F09: ReadFile.KERNELBASE(00000000,?,00000004,?,00000000), ref: 00401F79
Part of subcall function 00401F09: CloseHandle.KERNEL32(?), ref: 00401F86

DialogBoxParamW.USER32(?,00000082,00000000,00404FA9,00000000), ref: 00404F90

Strings

ALZip Self-Extractor, xrefs: 00404F5E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$CreateCriticalSection_memset$CloseDialogEnterH_prolog3_HandleLeaveMessageParamPointerRead
String ID: ALZip Self-Extractor
API String ID: 1226183020-1641417939
Opcode ID: 4514babd72805a4f97f5efb0ccd39af64b43824979a197a7588e27fe42a08d13
Instruction ID: 5a040a90e192a037237e2f18c029d94b20d0c8f0b11ae0d6018b99f435ed9717
Opcode Fuzzy Hash: 4514babd72805a4f97f5efb0ccd39af64b43824979a197a7588e27fe42a08d13
Instruction Fuzzy Hash: 4D1129B0614310AFC210AB359C0996F3BD8AF49B25F00493AF949F61D1D7B8D9008BDF

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD93 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042BDEB

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0042BE3C

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0042BE6C

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

Part of subcall function 0041DCFD: __EH_prolog3.LIBCMT ref: 0041DD04

Part of subcall function 0041B485: __EH_prolog3.LIBCMT ref: 0041B48C
Part of subcall function 0041B485: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041B4AA

_memset.LIBCMT ref: 0042BEE8
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0042C024

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3$Task_impl$_memset
String ID:
API String ID: 1412648963-0
Opcode ID: 4383137fd3eb947852ce0fd49e27fa79be92c8c0bcaa500b87a97b6f0eae1af4
Instruction ID: c770509db2a3e84330de57b35a5ba658a8c3a8e8283314bdbbc15bf309ae2c3d
Opcode Fuzzy Hash: 4383137fd3eb947852ce0fd49e27fa79be92c8c0bcaa500b87a97b6f0eae1af4
Instruction Fuzzy Hash: 34718E715047019BD720EF66C882ADBB7E8FF84308F40491EF5A693291DB78A549CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0043FE35 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0043FE53

Part of subcall function 0044697C: __mtinitlocknum.LIBCMT ref: 00446992
Part of subcall function 0044697C: __amsg_exit.LIBCMT ref: 0044699E
Part of subcall function 0044697C: RtlEnterCriticalSection.NTDLL(?), ref: 004469A6

___sbh_find_block.LIBCMT ref: 0043FE5E
___sbh_free_block.LIBCMT ref: 0043FE6D
RtlFreeHeap.NTDLL(00000000,?,00464908,0000000C,00442FDA,00000000,?,00443470,?,00000001,?,?,00446906,00000018,00464B88,0000000C), ref: 0043FE9D
GetLastError.KERNEL32(?,00443470,?,00000001,?,?,00446906,00000018,00464B88,0000000C,00446997,?,?,?,00443094,0000000D), ref: 0043FEAE

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: 5300c6c498e8fd61fbe9791e63c6718f99e74771db2cddb66bce504695a31399
Instruction ID: f8702364e22f2538d7e7c5ef3f1eb3872c6fde0dd602b4deca29473c6bb6485a
Opcode Fuzzy Hash: 5300c6c498e8fd61fbe9791e63c6718f99e74771db2cddb66bce504695a31399
Instruction Fuzzy Hash: F701A772D05711AAEB306FB29C0BB5F3A60AF04729F10506FF410661E2DBBC89448E5D

Uniqueness

Uniqueness Score: -1.00%

Function 00409E50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00409E83
_memset.LIBCMT ref: 00409E9E

Strings

(, xrefs: 00409F7D
PE, xrefs: 00409F22

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID: ($PE
API String ID: 2102423945-3347799738
Opcode ID: d4858db9d3c4cf8fc99c67914f32ef8c37a03b2b01dd07a5bbdb9d8698bdc9dd
Instruction ID: 0b817e10a45c20061ec00f5ff7b141c3c80ff4d8b5b3e03367fbe163a56e4639
Opcode Fuzzy Hash: d4858db9d3c4cf8fc99c67914f32ef8c37a03b2b01dd07a5bbdb9d8698bdc9dd
Instruction Fuzzy Hash: 8C412CB1E10219AFDF20DF69CD80AEEB779AF08748F10807AE904B7282D7749E459F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA07 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0041DA3E
_strlen.LIBCMT ref: 0041DA4C
InterlockedIncrement.KERNEL32(00000004), ref: 0041DABB
_malloc.LIBCMT ref: 0041DAC9

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: IncrementInterlocked_malloc_strlen_wcslen
String ID:
API String ID: 3295947797-0
Opcode ID: 5e5a10eb52dc2cafeec062705e7fa25071dd29ce49bdf9c3cc7c2e9e663193f2
Instruction ID: bb8d8023a125aaba1ce75cb7bf0c76376d19025c2abd1ee5c70b97d419093309
Opcode Fuzzy Hash: 5e5a10eb52dc2cafeec062705e7fa25071dd29ce49bdf9c3cc7c2e9e663193f2
Instruction Fuzzy Hash: 0631D4B1A043049FDB14DF69C8849A6B7B4FF48354F09452AF91ACB3A2D778EC44C758

Uniqueness

Uniqueness Score: -1.00%

Function 0043E277 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0043E291

Part of subcall function 0043FF12: __FF_MSGBANNER.LIBCMT ref: 0043FF35
Part of subcall function 0043FF12: __NMSG_WRITE.LIBCMT ref: 0043FF3C
Part of subcall function 0043FF12: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 0043FF89

std::bad_alloc::bad_alloc.LIBCMT ref: 0043E2B4

Part of subcall function 0043E25C: std::exception::exception.LIBCMT ref: 0043E268

Strings

P?, xrefs: 0043E2D5

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AllocateHeap_mallocstd::bad_alloc::bad_allocstd::exception::exception
String ID: P?
API String ID: 3447465555-1630831327
Opcode ID: 2e8f0e2e7b842902f5a4a4d17f8203f8a6ebc7ccb06e14216effbd829d1273f4
Instruction ID: 500d92e69a0a925c2ee20fc51a6e94889eea3773d246cff9ee612ebb79e76a98
Opcode Fuzzy Hash: 2e8f0e2e7b842902f5a4a4d17f8203f8a6ebc7ccb06e14216effbd829d1273f4
Instruction Fuzzy Hash: 15F0273190024926CF04B763EC1296B3B5C9F4571CF2090ABFC40660D2EFBDC906865E

Uniqueness

Uniqueness Score: -1.00%

Function 0042EFEC Relevance: 4.6, APIs: 3, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042EFF3

Part of subcall function 0041348C: __EH_prolog3.LIBCMT ref: 00413493

Part of subcall function 0042EDA9: __EH_prolog3_GS.LIBCMT ref: 0042EDB0
Part of subcall function 0042EDA9: GetFileAttributesW.KERNELBASE(?,?,00000040,0042F016,?,?,0000006C,004183CF,?), ref: 0042EDDA

CreateDirectoryW.KERNELBASE(?,00000000,?,00000001,?,?,0000006C,004183CF,?), ref: 0042F124

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3_$AttributesCreateDirectoryFileH_prolog3
String ID:
API String ID: 85581025-0
Opcode ID: 74bff80c903f231255b67766380d3aed667114e9297976b9b998d1e8d7b7901c
Instruction ID: 3466b981ef3e8a8bc12ed6af27326b4593a66621a910f66cf8908a130ca03b5f
Opcode Fuzzy Hash: 74bff80c903f231255b67766380d3aed667114e9297976b9b998d1e8d7b7901c
Instruction Fuzzy Hash: 38519232E102289ADB20EBE5EC41BEDB374AF41714F91013BE515BB1D2DA785E49CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0042F20D Relevance: 4.6, APIs: 3, Instructions: 126timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,00000000,00000000,00000000), ref: 0042F313
GetLastError.KERNEL32(?,00000005), ref: 0042F31D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ErrorFileLastTime
String ID:
API String ID: 2212998366-0
Opcode ID: 8751583b0aeada1376308e8e2cbbe144cabe2406b73cbacb44bd52ca75714e8c
Instruction ID: 6d4b1f2d82df0ebcc6ced3fef968453a2ab799272f8240b3c1fabb743210c7d8
Opcode Fuzzy Hash: 8751583b0aeada1376308e8e2cbbe144cabe2406b73cbacb44bd52ca75714e8c
Instruction Fuzzy Hash: 84416B702047018FC314CF29D480A2BBBF4BF89708F948A7EE8D987261D735E949CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0042163A Relevance: 4.6, APIs: 3, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 004216B9

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 004216E7

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

~_Task_impl.LIBCPMT ref: 00421733

Part of subcall function 00417C15: _wcslen.LIBCMT ref: 00417C2B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3$Task_impl$_wcslen
String ID:
API String ID: 601930181-0
Opcode ID: a2449a67e137c3be227996ee03b734568cb3d15cf956625ca39ae1bb628b28da
Instruction ID: 448332fe1b3a91efe93e9e50beb68e7839f626b797f7462d20a51cff3891e18a
Opcode Fuzzy Hash: a2449a67e137c3be227996ee03b734568cb3d15cf956625ca39ae1bb628b28da
Instruction Fuzzy Hash: CC41A5712047019BC714EF35D881BEBB7E9EF95314F400A2EF5A682191EF38A949CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F38A Relevance: 4.6, APIs: 3, Instructions: 108timeCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(?), ref: 0042F3FC
GetLastError.KERNEL32 ref: 0042F406
GetFileAttributesW.KERNELBASE(00000000), ref: 0042F477

Part of subcall function 0042F568: FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0042F426,?), ref: 0042F575
Part of subcall function 0042F568: SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0042F426,?), ref: 0042F585

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Time$File$System$AttributesErrorLastLocalSpecific
String ID:
API String ID: 584764771-0
Opcode ID: c2a00f85819e7d1974a750cec90f94be2f95e16a643e75f53319443f8bf5e502
Instruction ID: ae1c6323d5a5710bd2bf010a2a7227c3f2ffc887556d35e21f887b3611091920
Opcode Fuzzy Hash: c2a00f85819e7d1974a750cec90f94be2f95e16a643e75f53319443f8bf5e502
Instruction Fuzzy Hash: 9831A2726147108FC724EF29E894A2BB7F5BB94310FC44A3EE49AC7251D778E50C8B49

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC75 Relevance: 4.6, APIs: 3, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040AC7C

Part of subcall function 0040BC79: FileTimeToSystemTime.KERNEL32(00000001,?,?,?), ref: 0040BC99

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0040AD51

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

~_Task_impl.LIBCPMT ref: 0040AD70

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$H_prolog3$BaseBase::~Concurrency::details::$Task_implTime$FileSystem
String ID:
API String ID: 1286750186-0
Opcode ID: 99dc551492bed9c2fde4ccf3d61935ea1ed5dc272418cfdf51c8920fe4a4345c
Instruction ID: f7a1d5e0895f007203416a78b7c85d31d71b20594887372bb833d8c24e101999
Opcode Fuzzy Hash: 99dc551492bed9c2fde4ccf3d61935ea1ed5dc272418cfdf51c8920fe4a4345c
Instruction Fuzzy Hash: E5317E72D0060AABCF05DFE5C851AEEBBB6BF08304F04412FE501B7691DB389A59CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00405C50 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000066), ref: 00405C97
SetWindowTextW.USER32(00000000,?), ref: 00405CC9
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00405D03

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CallbackDispatcherItemTextUserWindow
String ID:
API String ID: 35929931-0
Opcode ID: 82475e1d517b2cde2044b77ce3db82b707dbb6ff0570620b32f36338606b4e54
Instruction ID: e114b1f69ac210912a751ea47597f0c7d50794b980523d0d9df8501aa343caa2
Opcode Fuzzy Hash: 82475e1d517b2cde2044b77ce3db82b707dbb6ff0570620b32f36338606b4e54
Instruction Fuzzy Hash: 91110634908B04A6EB206B759D4AABF36A4EB44745F04453BF802FB2C1DA7CD8058F6E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F990 Relevance: 4.5, APIs: 3, Instructions: 27COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0042F99F
SetFileAttributesW.KERNELBASE(00000000,00000000), ref: 0042F9BE
_memset.LIBCMT ref: 0042F9C9

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AttributesChangeCloseFileFindNotification_memset
String ID:
API String ID: 3845561022-0
Opcode ID: 5a1fd54bde73543954a3de141e289c02440edfa6e5cb1995d7f9f8bc267b546e
Instruction ID: c64057af0379c47fda521629e1972f1cdbadee487bf54a7318b410b3c17137ff
Opcode Fuzzy Hash: 5a1fd54bde73543954a3de141e289c02440edfa6e5cb1995d7f9f8bc267b546e
Instruction Fuzzy Hash: 6EE065717007116BD7606735FC15B6B37A87F54B0AF54043EF045D2191DBACA54D8698

Uniqueness

Uniqueness Score: -1.00%

Function 0043E7C5 Relevance: 4.5, APIs: 3, Instructions: 19COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0043E7D1

Part of subcall function 00442FE9: __getptd_noexit.LIBCMT ref: 00442FEC
Part of subcall function 00442FE9: __amsg_exit.LIBCMT ref: 00442FF9

__endthreadex.LIBCMT ref: 0043E7E1

Part of subcall function 0043E788: __IsNonwritableInCurrentImage.LIBCMT ref: 0043E79B
Part of subcall function 0043E788: __getptd_noexit.LIBCMT ref: 0043E7AB
Part of subcall function 0043E788: __freeptd.LIBCMT ref: 0043E7B5
Part of subcall function 0043E788: RtlExitUserThread.NTDLL(?,?,0043E7E6,00000000), ref: 0043E7BE
Part of subcall function 0043E788: __XcptFilter.LIBCMT ref: 0043E7F2

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __getptd_noexit$CurrentExitFilterImageNonwritableThreadUserXcpt__amsg_exit__endthreadex__freeptd__getptd
String ID:
API String ID: 1003287236-0
Opcode ID: 7be4a9c7324ae9200fd00cc69d826ab98f9e80954eaefff729343047ae19d26f
Instruction ID: 6c74d4a09294f5df4dac338277adc4b07625feddf76927be2362a60f10e67b80
Opcode Fuzzy Hash: 7be4a9c7324ae9200fd00cc69d826ab98f9e80954eaefff729343047ae19d26f
Instruction Fuzzy Hash: C6E08CB4901600DFFB08BBA1C906F2D3774EF44305F60004EF0016B2A2CABC99009B28

Uniqueness

Uniqueness Score: -1.00%

Function 004299F4 Relevance: 3.3, APIs: 2, Instructions: 320COMMON

Download Yara Rule

APIs

~_Task_impl.LIBCPMT ref: 00429AF1

Part of subcall function 00417618: __EH_prolog3.LIBCMT ref: 0041761F
Part of subcall function 00417618: ~_Task_impl.LIBCPMT ref: 00417667
Part of subcall function 00417618: ~_Task_impl.LIBCPMT ref: 00417680

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 00429BF4

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternalTask_impl$H_prolog3$BaseBase::~Concurrency::details::
String ID:
API String ID: 618964925-0
Opcode ID: 9a36d90bceeb4867dca77623a5b162a308f032225b0ea36e689f9a7a9dbfa1af
Instruction ID: 2d7dd54514b509819bfb1aace42535f953ea52162d952b85e566f85dd145bdd5
Opcode Fuzzy Hash: 9a36d90bceeb4867dca77623a5b162a308f032225b0ea36e689f9a7a9dbfa1af
Instruction Fuzzy Hash: 5FD17C712083518FCB15EF29D491AAEB7E5BF88314F50096EF885873A2DB38DC45CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 004295E2 Relevance: 3.2, APIs: 2, Instructions: 245COMMON

Download Yara Rule

APIs

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

~_Task_impl.LIBCPMT ref: 00429639

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042967F

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175E0
Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175FC

Part of subcall function 0042B3E4: __EH_prolog3_GS.LIBCMT ref: 0042B3EB
Part of subcall function 0042B3E4: ~_Task_impl.LIBCPMT ref: 0042B413

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$Task_impl$BaseBase::~Concurrency::details::H_prolog3$H_prolog3_
String ID:
API String ID: 2255126058-0
Opcode ID: defc0797acb51106c7d8388c2643408e16951e2bde693f3b3cf5866c36827529
Instruction ID: 72f787a01ac398bc64078770512d367c4a2e517a117656be2c43508d0f2625c1
Opcode Fuzzy Hash: defc0797acb51106c7d8388c2643408e16951e2bde693f3b3cf5866c36827529
Instruction Fuzzy Hash: 8F81B3713183119BD714EF25D992BAEB3E5AF84748F50082EF49287392DB3DEC45874A

Uniqueness

Uniqueness Score: -1.00%

Function 004081A0 Relevance: 3.1, APIs: 2, Instructions: 132windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004080E4: __EH_prolog3.LIBCMT ref: 004080EB

SendMessageW.USER32(?,000004CF,?,00000000), ref: 004082FC
SendMessageW.USER32(?,000004D0,?,00000000), ref: 0040831F

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: MessageSend$H_prolog3
String ID:
API String ID: 1885053084-0
Opcode ID: 54174219d14bce4622d60aaef0d4cb8e948230924614d79314ac8b848e2a73ad
Instruction ID: eac633c72afa63e160585990f7fb398a7b4a59b5a5a3420984b5398372c2de86
Opcode Fuzzy Hash: 54174219d14bce4622d60aaef0d4cb8e948230924614d79314ac8b848e2a73ad
Instruction Fuzzy Hash: BB514E715083809FD711DF54C945B9EBBE4FF89714F00092EF984A72A1CB79A948CB97

Uniqueness

Uniqueness Score: -1.00%

Function 00418DF7 Relevance: 3.1, APIs: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00418DFE
~_Task_impl.LIBCPMT ref: 00418EC8

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3Task_impl
String ID:
API String ID: 2182512335-0
Opcode ID: c9ecec08ad7f54fd8ae8c101d6c3b0d7c6df616b54cecb54ceac48625934396e
Instruction ID: 532d60a74afb7aa245790a02a113d00ae5d663f20852f97083de1d46b3fca001
Opcode Fuzzy Hash: c9ecec08ad7f54fd8ae8c101d6c3b0d7c6df616b54cecb54ceac48625934396e
Instruction Fuzzy Hash: EF217C30900219EBDF05EFA6C5816EDBB75AF18358F10402FF819A7252DB38DE81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00405246 Relevance: 3.0, APIs: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00405255
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004052C3

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: b633ff00d9f31aebd8698c703da9ef50767492910171b58783858a5729267808
Instruction ID: cda8803e2fe27940c17ec1edc84914bc251466dd876e58acb39f43f2d8b70d1a
Opcode Fuzzy Hash: b633ff00d9f31aebd8698c703da9ef50767492910171b58783858a5729267808
Instruction Fuzzy Hash: 3A1182B1D00708EBCB04DFA1C9557AEBBF4FB08312F20C5A9E415F22A0DB345A008F94

Uniqueness

Uniqueness Score: -1.00%

Function 0042F6EF Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0042F711
GetLastError.KERNEL32 ref: 0042F71B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: b25cf4c17adbee42b79aef3403e6afb843614b08f374dfa2c17fcd78c8e23c7a
Instruction ID: 252276086e0f8dfc2d97bc3a15982b309c1f0c83f1544aadecf1f50c65b26417
Opcode Fuzzy Hash: b25cf4c17adbee42b79aef3403e6afb843614b08f374dfa2c17fcd78c8e23c7a
Instruction Fuzzy Hash: 18014B71610314EFDB248F56E808BAAB7F8BB44344F90803EE94687240EB74E9089F55

Uniqueness

Uniqueness Score: -1.00%

Function 0042F758 Relevance: 3.0, APIs: 2, Instructions: 32fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000), ref: 0042F77A
GetLastError.KERNEL32 ref: 0042F784

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 2c708ce5b5e70e59b143e4ff66a5c71a7d5b1c7042f7dcfb01ec94f31b3e708d
Instruction ID: 6e47449235eedacd214a3a471bfe2f5452a02b41cf46c9a49daed485b3a2f794
Opcode Fuzzy Hash: 2c708ce5b5e70e59b143e4ff66a5c71a7d5b1c7042f7dcfb01ec94f31b3e708d
Instruction Fuzzy Hash: A7F04975610214EFDB10DF66E808B9EB7F8BB44318F80802EE546C7240EB74EA08DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042EDA9 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042EDB0

Part of subcall function 0041348C: __EH_prolog3.LIBCMT ref: 00413493

GetFileAttributesW.KERNELBASE(?,?,00000040,0042F016,?,?,0000006C,004183CF,?), ref: 0042EDDA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AttributesFileH_prolog3H_prolog3_
String ID:
API String ID: 3233049449-0
Opcode ID: 7678379ec79cc3203b9d4f039267d5ec3504841d33ed3fc65fa07d70581f64dd
Instruction ID: a359b7e994934261f3d9583c5d3d66b8d9b403035359139d6ae1fd65def14f1b
Opcode Fuzzy Hash: 7678379ec79cc3203b9d4f039267d5ec3504841d33ed3fc65fa07d70581f64dd
Instruction Fuzzy Hash: 23F0A031A0122497CF15EBAAD9050CDB778AF41715F944A1BF811B7292C77C9E46C78C

Uniqueness

Uniqueness Score: -1.00%

Function 0044604B Relevance: 3.0, APIs: 2, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00446063

Part of subcall function 0044697C: __mtinitlocknum.LIBCMT ref: 00446992
Part of subcall function 0044697C: __amsg_exit.LIBCMT ref: 0044699E
Part of subcall function 0044697C: RtlEnterCriticalSection.NTDLL(?), ref: 004469A6

__tzset_nolock.LIBCMT ref: 00446074

Part of subcall function 00445936: __lock.LIBCMT ref: 00445958
Part of subcall function 00445936: __get_daylight.LIBCMT ref: 0044596D
Part of subcall function 00445936: __invoke_watson.LIBCMT ref: 0044597C
Part of subcall function 00445936: __get_daylight.LIBCMT ref: 00445988
Part of subcall function 00445936: __invoke_watson.LIBCMT ref: 00445997
Part of subcall function 00445936: __get_daylight.LIBCMT ref: 004459A3
Part of subcall function 00445936: __invoke_watson.LIBCMT ref: 004459B2
Part of subcall function 00445936: ____lc_codepage_func.LIBCMT ref: 004459BA
Part of subcall function 00445936: __getenv_helper_nolock.LIBCMT ref: 004459DC
Part of subcall function 00445936: _strlen.LIBCMT ref: 00445A1A
Part of subcall function 00445936: __malloc_crt.LIBCMT ref: 00445A21
Part of subcall function 00445936: _strlen.LIBCMT ref: 00445A37

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __get_daylight__invoke_watson$__lock_strlen$CriticalEnterSection____lc_codepage_func__amsg_exit__getenv_helper_nolock__malloc_crt__mtinitlocknum__tzset_nolock
String ID:
API String ID: 4157481694-0
Opcode ID: 978a5017a68c6763a9c71a96d3e0fa616a6f2ce48f70801047cb5fcc30f8baea
Instruction ID: 763457f191a5cb7b50ccd8b4fe70ac468742e718c140abacae3e6826f0c558a1
Opcode Fuzzy Hash: 978a5017a68c6763a9c71a96d3e0fa616a6f2ce48f70801047cb5fcc30f8baea
Instruction Fuzzy Hash: 28E0C2B0984710DAEA32FFA6980221DB1316B45F66F11417FF090125E2DBB80642CF9F

Uniqueness

Uniqueness Score: -1.00%

Function 004083B5 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,00403CEE), ref: 004083C6
RtlDeleteCriticalSection.NTDLL ref: 004083D0

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ChangeCloseCriticalDeleteFindNotificationSection
String ID:
API String ID: 1020450066-0
Opcode ID: 67ae502e9639def027de007c7b1b9bc8fc92893e483f96c190ea47854aa27bf3
Instruction ID: 3039fb6ac0943cb22633b9b77535959c7555116527a83c4463e43a7f43878add
Opcode Fuzzy Hash: 67ae502e9639def027de007c7b1b9bc8fc92893e483f96c190ea47854aa27bf3
Instruction Fuzzy Hash: 0FC0127141172197C7102B28BD1C59736E8AF04705305086AFC49E3283DB79DC5186DC

Uniqueness

Uniqueness Score: -1.00%

Function 004436B7 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 004436BF

Part of subcall function 0044368C: GetModuleHandleW.KERNEL32(mscoree.dll,?,004436C4,?,?,0043FF4B,000000FF,0000001E,?,00443470,?,00000001,?,?,00446906,00000018), ref: 00443696
Part of subcall function 0044368C: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004436A6

ExitProcess.KERNEL32 ref: 004436C8

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: fe0157ce4a1c999b23b613b5cc26864a1e246030e00c095048ca47635eeb259b
Instruction ID: 3d4dd1f51e0b2292f50593640656caad3e4086ecf5e1640e34db10ecd1bc13bb
Opcode Fuzzy Hash: fe0157ce4a1c999b23b613b5cc26864a1e246030e00c095048ca47635eeb259b
Instruction Fuzzy Hash: 1EB09B310006487BDB152F26DC0985D7F15EB407527514025F40405131DF71ED52D988

Uniqueness

Uniqueness Score: -1.00%

Function 0042C0B3 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 0042C201

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: d42ed0c4723c42b8edcb0d0775795a3aaf9f2c47ad02ae1aa89149fcf804478a
Instruction ID: a5fe440fdfecc5fdedd484e355e2b02bcbfc5faee50d86bb0be5e4a291b78c62
Opcode Fuzzy Hash: d42ed0c4723c42b8edcb0d0775795a3aaf9f2c47ad02ae1aa89149fcf804478a
Instruction Fuzzy Hash: 63915774B00616EFCB19DF64D5C0AE9F7B1FF08340F10856AE86A97210DB35B9A0DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00420630 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00420637

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: b55c4783ec0ea997bb6914fe603c498d699c8c8706d983e09037d7c4e47ca5cf
Instruction ID: 897c38121aca742cf3af521dab2c3ad79063a8507ec4df7ef20bc097b7d8fcc7
Opcode Fuzzy Hash: b55c4783ec0ea997bb6914fe603c498d699c8c8706d983e09037d7c4e47ca5cf
Instruction Fuzzy Hash: C75113709002199BCF01EF65D485ACDBBB5BF48308F64417BEC05AF216DB78AA85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00419FC5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0041A0A9

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: c502c9d70c1c0c8aacc2144b5314c625061e60ddda7ff032960cd82db6d9b852
Instruction ID: 6224ae7ed7a85da6bba7f7ea15086695645b61cb886cf75a9a5f2da62c8fc933
Opcode Fuzzy Hash: c502c9d70c1c0c8aacc2144b5314c625061e60ddda7ff032960cd82db6d9b852
Instruction Fuzzy Hash: 40313A715017009FCB10DF1AD884A8A7BF5FF88314F10496EF8589B256D734E959CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00409D94 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00409D9B

Part of subcall function 0041ABD9: _memset.LIBCMT ref: 0041ABE7

Part of subcall function 00409E50: _memset.LIBCMT ref: 00409E83
Part of subcall function 00409E50: _memset.LIBCMT ref: 00409E9E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset$H_prolog3
String ID:
API String ID: 2144794740-0
Opcode ID: db5be84a7fbb6e4ec7ead1a5107482d19e3c065368c7708e6b81a508e1c271df
Instruction ID: 7583fe7703b2d2283357dff9fc8f7e5c7c7ee17632d6b7ddd048583f29b4f886
Opcode Fuzzy Hash: db5be84a7fbb6e4ec7ead1a5107482d19e3c065368c7708e6b81a508e1c271df
Instruction Fuzzy Hash: 3D2109B0D0121A9BDF01DF95C9819EEB775FF14308F10442BE545B6282E3789E59CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042F66C Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0042F6C4

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 48a9c4074d84e33faffbfab9ad2de0d77fb31d6555ca4d2ddd6d503845ea6183
Instruction ID: c381c1fee7fa8a298683391104b38129fb15e8aa7a2bc37115808c28b5200b9d
Opcode Fuzzy Hash: 48a9c4074d84e33faffbfab9ad2de0d77fb31d6555ca4d2ddd6d503845ea6183
Instruction Fuzzy Hash: C701617270412AAFE748CE69EC81AAB73E5FB84311BD4C13FB50AC7250DA70AC168764

Uniqueness

Uniqueness Score: -1.00%

Function 0042110E Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00421149

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: cc280e2375be935d74c22372f687d926dbcb8d0d06842eebb1722bdcc73f66d2
Instruction ID: af8a0ce88d1bf22230ed5d440fdf4da950adfde4eff4fa3f55469bb5b87bd899
Opcode Fuzzy Hash: cc280e2375be935d74c22372f687d926dbcb8d0d06842eebb1722bdcc73f66d2
Instruction Fuzzy Hash: D301E975D00208FBCB21DF99C8449EEFBF8EF58700F50819BA552A2254E7749B55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC79 Relevance: 1.5, APIs: 1, Instructions: 46timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(00000001,?,?,?), ref: 0040BC99

Part of subcall function 0043F9FE: __make__time64_t.LIBCMT ref: 0043FA08

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Time$FileSystem__make__time64_t
String ID:
API String ID: 2393291594-0
Opcode ID: 945139dfa476c15d756834f6c8fc32a3973028623d225c212d42989f56c54cdf
Instruction ID: 69d4df0f326b466fe6c276e323e8cf52ee13aee39d166953f8ba67790cb1da1f
Opcode Fuzzy Hash: 945139dfa476c15d756834f6c8fc32a3973028623d225c212d42989f56c54cdf
Instruction Fuzzy Hash: CB11B7B6D0021DAACB10DFAAD4415FEFBF9EF48711F10412BF955E7280E6388945DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041B524 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00416847: __EH_prolog3.LIBCMT ref: 0041684E
Part of subcall function 00416847: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041687E

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041B578

Part of subcall function 0041DD34: __EH_prolog3.LIBCMT ref: 0041DD3B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3
String ID:
API String ID: 1562071080-0
Opcode ID: fbc09292adbb313ce18c9a971a8e829743436da0b5b215ecd1429b1c1c7d7689
Instruction ID: 9cdaa2b2be47600022c6b5b02bfd8473c2fcddab0618c6d461ceac2c00d39ef4
Opcode Fuzzy Hash: fbc09292adbb313ce18c9a971a8e829743436da0b5b215ecd1429b1c1c7d7689
Instruction Fuzzy Hash: 13F0C8B26087405BC310EB29DC02B57B7D8F745B34F00072EF465936D1EB6C990486DA

Uniqueness

Uniqueness Score: -1.00%

Function 00417D2D Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00417D34

Part of subcall function 0043E277: _malloc.LIBCMT ref: 0043E291

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3_malloc
String ID:
API String ID: 2346879263-0
Opcode ID: 70d88fcef7588bdffb26899be79893ccdbdfcd5114151dde123619913a05a549
Instruction ID: 258ce6b7d0f085ee873b372354d0712a6f586f45f5e2c87cd0e4e12c88f6ad4f
Opcode Fuzzy Hash: 70d88fcef7588bdffb26899be79893ccdbdfcd5114151dde123619913a05a549
Instruction Fuzzy Hash: ECF054716046199BDB50EF79958176A66F0AF08354F55C0BFF909CF382E97CC9408B29

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3B9 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041E3C0

Part of subcall function 0043E277: _malloc.LIBCMT ref: 0043E291

Part of subcall function 0041AF74: __EH_prolog3.LIBCMT ref: 0041AF7B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID:
API String ID: 1683881009-0
Opcode ID: 20989d46390b7344befdede8679176f84c68f558e915de4ff925998c0bd30458
Instruction ID: 4b9063e7813039a7127407ae34af6a5b01f29605eaf4c884dfe734e29d180228
Opcode Fuzzy Hash: 20989d46390b7344befdede8679176f84c68f558e915de4ff925998c0bd30458
Instruction Fuzzy Hash: 7AE086756112058BDB00EBB68506B9AA2E4AB04319F10842B7D10CB282DBBCC441C61D

Uniqueness

Uniqueness Score: -1.00%

Function 0044827D Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00448292

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 65637b6ee6842692333b0e13ffe9075faae8792ec71070a186bda77f443aef37
Instruction ID: 5ff8e4a9eb7898b5525ea3130c7b313edf93c4a40d97aa87955787450e8aafd7
Opcode Fuzzy Hash: 65637b6ee6842692333b0e13ffe9075faae8792ec71070a186bda77f443aef37
Instruction Fuzzy Hash: 03D01772E547046AEB105B75AC097263A98A784399F004436E80DC6150FAB4C5409A49

Uniqueness

Uniqueness Score: -1.00%

Function 0043E6AF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

__waccess_s.LIBCMT ref: 0043E6BA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __waccess_s
String ID:
API String ID: 4272103461-0
Opcode ID: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
Instruction ID: 20f72f3fd7d8b9321cfec293169b33bfb5715925ea7c671c9b98f829f10e3b89
Opcode Fuzzy Hash: 121c4f77d4c72d3789264fc0d0d617dc9724d87233f222cead199be475d85574
Instruction Fuzzy Hash: 97C02B3300400C3F4F141DE3EC01C083F09C680330F105116F80C880D1CD32E8104284

Uniqueness

Uniqueness Score: -1.00%

Function 004438D3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_doexit.LIBCMT ref: 004438DF

Part of subcall function 004437A7: __lock.LIBCMT ref: 004437B5
Part of subcall function 004437A7: __decode_pointer.LIBCMT ref: 004437EC
Part of subcall function 004437A7: __decode_pointer.LIBCMT ref: 00443801
Part of subcall function 004437A7: __decode_pointer.LIBCMT ref: 0044382B
Part of subcall function 004437A7: __decode_pointer.LIBCMT ref: 00443841
Part of subcall function 004437A7: __decode_pointer.LIBCMT ref: 0044384E
Part of subcall function 004437A7: __initterm.LIBCMT ref: 0044387D
Part of subcall function 004437A7: __initterm.LIBCMT ref: 0044388D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __decode_pointer$__initterm$__lock_doexit
String ID:
API String ID: 1597249276-0
Opcode ID: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction ID: 8c597e9381f3e4681478f3a7e609c3c2dd390db9a537612fd936f7b197ce17f4
Opcode Fuzzy Hash: 02276376eab60fb44a6de362a8cb41930a671a9c3f5feaa45b9c6d7d217bd1ad
Instruction Fuzzy Hash: 9AB092B258024833EA202A82AC03F063A099BC0B64E244021BA0C191A1A9A3AA628089

Uniqueness

Uniqueness Score: -1.00%

Function 0043F9FE Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__make__time64_t.LIBCMT ref: 0043FA08

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __make__time64_t
String ID:
API String ID: 1242165881-0
Opcode ID: 5f2446f3e75e43e2549ab1216d78344c9aed32879290253eb41c07f426e25a17
Instruction ID: efbcaa7826b508f521c1c106d03b44c379c6e901a1b4f6b5f4faef5199c7be49
Opcode Fuzzy Hash: 5f2446f3e75e43e2549ab1216d78344c9aed32879290253eb41c07f426e25a17
Instruction Fuzzy Hash: B4B0123315C30C2FD70065DBB447E8537EC87C8B24F200016B60C0B182DDA2F88041D9

Uniqueness

Uniqueness Score: -1.00%

Function 00412D9E Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00412DA8

Part of subcall function 0043FF12: __FF_MSGBANNER.LIBCMT ref: 0043FF35
Part of subcall function 0043FF12: __NMSG_WRITE.LIBCMT ref: 0043FF3C
Part of subcall function 0043FF12: RtlAllocateHeap.NTDLL(00000000,?,00000001), ref: 0043FF89

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 3d0d7d1eaf54c32c0ebc4e3e3667cb3724648d5ccb301dde9a0e36464dddef47
Instruction ID: 1a581bbd53ef58e20bbefdeffcb45f31b34c61190c37555c0bf9c05164fdf762
Opcode Fuzzy Hash: 3d0d7d1eaf54c32c0ebc4e3e3667cb3724648d5ccb301dde9a0e36464dddef47
Instruction Fuzzy Hash: EDB012724082016A8504D694E28180AB7D89AD5310F10D80FF0558B450C634D0405601

Uniqueness

Uniqueness Score: -1.00%

Function 00413723 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(75750000), ref: 0041372D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 31ce9b47fb0aa0890bdf1ef8aa290c7fe2bb6f0e41baec406883db4bd2b58e0a
Instruction ID: 01c4208cbd580f71e4534c40ca6320a4b20220a7ccb362821ef98604ad3037b9
Opcode Fuzzy Hash: 31ce9b47fb0aa0890bdf1ef8aa290c7fe2bb6f0e41baec406883db4bd2b58e0a
Instruction Fuzzy Hash: 16B012F0F003004B9E208F61EF48512329C5E447023000034A405C9290D668C540C51A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406CB9 Relevance: 66.9, APIs: 37, Strings: 1, Instructions: 409windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406CC3

Part of subcall function 00401CEA: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00401CF2
Part of subcall function 00401CEA: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00401CFF

LoadIconW.USER32(00000000,00000065), ref: 00406CD3
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00406CE2
GetDlgItem.USER32(?,000003F3), ref: 00406CF4
GetDlgItem.USER32(?,000003F8), ref: 00406D02
GetDlgItem.USER32(?,000003F9), ref: 00406D10
GetDlgItem.USER32(?,000003F4), ref: 00406D1E
GetDlgItem.USER32(?,000003F7), ref: 00406D2C
GetDlgItem.USER32(?,000003F5), ref: 00406D3A
GetDlgItem.USER32(?,000003F6), ref: 00406D48
GetDlgItem.USER32(?,000003F0), ref: 00406D56
GetDlgItem.USER32(?,000003F1), ref: 00406D60
GetDlgItem.USER32(?,00000001), ref: 00406D6B
GetDlgItem.USER32(?,00000002), ref: 00406D76
GetDlgItem.USER32(?,000003EE), ref: 00406D84

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

SetWindowTextW.USER32(00000000,?), ref: 00406DBA
SetWindowTextW.USER32(?,?), ref: 00406E15
SetWindowTextW.USER32(?,?), ref: 00406E68
SetWindowTextW.USER32(?,?), ref: 00406EBE
SetWindowTextW.USER32(?,?), ref: 00406F14
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00406F40
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00406F57
_memset.LIBCMT ref: 00406FDB
FindFirstFileW.KERNEL32(?,?), ref: 00407000
FindClose.KERNEL32(00000000), ref: 00407010
_memset.LIBCMT ref: 0040702C
PathCompactPathExW.SHLWAPI(?,?,00000028,00000000), ref: 00407054
SetWindowTextW.USER32(?,?), ref: 0040706D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040709F
SetWindowTextW.USER32(?,?), ref: 004070F9
SetWindowTextW.USER32(?,?), ref: 0040717F

Part of subcall function 00408774: __EH_prolog3.LIBCMT ref: 0040877B

SetWindowTextW.USER32(?,?), ref: 004071B5
SetWindowTextW.USER32(?,?), ref: 004071F8
_memset.LIBCMT ref: 0040720F
SHGetFileInfoW.SHELL32(?,00000080,?,000002B4,00000110), ref: 00407243
SendMessageW.USER32(?,00000170,?,00000000), ref: 00407262
SendMessageW.USER32(?,00000170,?,00000000), ref: 00407273

Strings

Bytes, xrefs: 00407151, 00407156, 004071CF

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Item$TextWindow$CriticalSection_memset$MessageSend$EnterFileFindH_prolog3_LeaveLoadPath$CloseCompactFirstH_prolog3IconInfoStringUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: Bytes
API String ID: 328566721-1326914
Opcode ID: 9235e05318675b7cea0da11fbe74813e13f04a300322290abfb859ff0bc44c09
Instruction ID: bf847a3ee0ce42f486f1f3a90aee798fd34bd8879b5813f3168fd9c1e0ec1f4b
Opcode Fuzzy Hash: 9235e05318675b7cea0da11fbe74813e13f04a300322290abfb859ff0bc44c09
Instruction Fuzzy Hash: 61023770D41229AADF21AB61CD49BDDBBB8EF04304F4041EAE50CB6191CB786F84CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00406766 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00406770
GetDlgItem.USER32(?,00000F03), ref: 00406783
_memset.LIBCMT ref: 004067A3
GetWindowTextW.USER32(00000000,?,00000104), ref: 004067B8

Part of subcall function 00408837: __EH_prolog3_GS.LIBCMT ref: 0040883E

Part of subcall function 004088F2: __EH_prolog3_GS.LIBCMT ref: 004088F9

MessageBoxW.USER32(?,?,ALZip Self-Extractor,00000010), ref: 0040682B
FindFirstFileW.KERNEL32(?,?,?,?), ref: 00406870
MessageBoxW.USER32(?,?,ALZip Self-Extractor,00000010), ref: 004068A9

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

FindClose.KERNEL32(00000000), ref: 004068ED
EndDialog.USER32(?,00000001), ref: 0040692F

Strings

ALZip Self-Extractor, xrefs: 00406824, 004068A2

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3_$FindMessage_memset$CloseDialogFileFirstItemLoadStringTextWindow
String ID: ALZip Self-Extractor
API String ID: 3135845946-1641417939
Opcode ID: a4c00ae34c456c4ed6b02c6a0a6ce953e3545696c82d9a7fcb5f90333d5686c8
Instruction ID: 7d57515e92b6c25296cbaaa10012aec84157dc421e88131edcf864bf4bf7d004
Opcode Fuzzy Hash: a4c00ae34c456c4ed6b02c6a0a6ce953e3545696c82d9a7fcb5f90333d5686c8
Instruction Fuzzy Hash: E0514B759422289EDB20EB608C89BEDB778AF04305F5040EAF609B7191DB785F89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040420F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 165fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404219
_memset.LIBCMT ref: 00404294
FindFirstFileW.KERNEL32(?,?), ref: 004042B0
RemoveDirectoryW.KERNEL32(?), ref: 004042CE

Part of subcall function 0040444A: std::_String_base::_Xlen.LIBCPMT ref: 00404459

Part of subcall function 00404493: _wcslen.LIBCMT ref: 00404498

GetFileAttributesW.KERNEL32(?,00000001,00000000,00000001,00000000,00000000,?,?,?,00000300,0040267D,?), ref: 004043AD
FindNextFileW.KERNEL32(?,?,00000001,00000000,?), ref: 00404408
FindClose.KERNEL32(?), ref: 0040441C
RemoveDirectoryW.KERNEL32(?), ref: 0040442F

Part of subcall function 0040369B: __EH_prolog3.LIBCMT ref: 004036A2

Strings

*.*, xrefs: 0040426D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: FileFind$DirectoryRemove$AttributesCloseFirstH_prolog3H_prolog3_NextString_base::_Xlen_memset_wcslenstd::_
String ID: *.*
API String ID: 832431637-438819550
Opcode ID: ce21df8e5576fd34ef4a36903495d80559331262bbf23cb017709f30d971612f
Instruction ID: 74036f60185010c92b8a47986787845e5613c85ad450f19c05f25c60527f7168
Opcode Fuzzy Hash: ce21df8e5576fd34ef4a36903495d80559331262bbf23cb017709f30d971612f
Instruction Fuzzy Hash: AE616C71E012189ADF10EBA5CC89BDEB7B8AF45305F1040AAFA05B72D1C7786A45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042FC86 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 150fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,F14CC7D6), ref: 0042FCDA
GetLastError.KERNEL32 ref: 0042FCE5
FindClose.KERNEL32(00000000), ref: 0042FCF8
SHGetFileInfoW.SHELL32(?,?,?,000002B4,00004411), ref: 0042FD15
SHGetFileInfoW.SHELL32(?,?,?,000002B4,00004010), ref: 0042FE33
SHGetFileInfoW.SHELL32(?,?,?,000002B4,00004012), ref: 0042FE59

Strings

, xrefs: 0042FD5F

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$Info$Find$CloseErrorFirstLast
String ID:
API String ID: 3972267499-3916222277
Opcode ID: 9cff7d4aa46710cd2c20694d721ff8b2f22585ab5a33c84ffd0904086f528063
Instruction ID: 24ceacf2916b62a918343cff41ad82f66889dc8a89366416d4a68181084d757b
Opcode Fuzzy Hash: 9cff7d4aa46710cd2c20694d721ff8b2f22585ab5a33c84ffd0904086f528063
Instruction Fuzzy Hash: 2A517E716043409FDB249F58D88565BBBF4BF85304F80453EEE459A2A2E739D844CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE6E Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004428C0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004428D5
UnhandledExceptionFilter.KERNEL32(004553D4), ref: 004428E0
GetCurrentProcess.KERNEL32(C0000409), ref: 004428FC
TerminateProcess.KERNEL32(00000000), ref: 00442903

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 6aad4009946f0461cbd50b314a273999e87589421552d71372112305a5f450e8
Instruction ID: bce4df15b308b61989174c39faf604124cb5e7e66fcbf03aacbc4256ba133020
Opcode Fuzzy Hash: 6aad4009946f0461cbd50b314a273999e87589421552d71372112305a5f450e8
Instruction Fuzzy Hash: C621CDB58017049FD720EF6AE9856683BE0FB48346F50103AE48997262F7F498809F5E

Uniqueness

Uniqueness Score: -1.00%

Function 00438DB1 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00438DF8
_memset.LIBCMT ref: 00438E8A
_memset.LIBCMT ref: 00438E93

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: d1222ff7b05bd1d85a8e20612f39eab23f734433b10b25448e75119ba63599a8
Instruction ID: 8d8d46e8a4138d773720769f1d5324dcce76c05ccf3b04a1af37464759a6e130
Opcode Fuzzy Hash: d1222ff7b05bd1d85a8e20612f39eab23f734433b10b25448e75119ba63599a8
Instruction Fuzzy Hash: 69314531201A26AFC715CB39C981A96FBE8FF1D714B41162AE458CBA41D734F560CBD8

Uniqueness

Uniqueness Score: -1.00%

Function 0040FB0D Relevance: 4.1, Strings: 3, Instructions: 387COMMON

Download Yara Rule

Strings

invalid distance code, xrefs: 0040FE74
invalid distance too far back, xrefs: 0040FE6B
invalid literal/length code, xrefs: 0040FE8A

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: 81e57cecd3775283745c621f47db997db9ca0950d0e60b86b6622ca45e9364b2
Instruction ID: 85ab08be457f6e4083eebb1b14389514e9d4246d47f23fa867d33ba9ed698ce7
Opcode Fuzzy Hash: 81e57cecd3775283745c621f47db997db9ca0950d0e60b86b6622ca45e9364b2
Instruction Fuzzy Hash: 9AF15830908649DBCB1CCF59D0A05BDBBB2FF89314B24C1AED4566BB85C7386A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A359 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043A36E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 4491824a45e4f2830902aea4bb3117d5ef3e502b8a73b53f24b6dd24d03efd05
Instruction ID: d832d85a6de6ff78fd26617c4231156f5e8d58e8e86471408de1ac2d32f41610
Opcode Fuzzy Hash: 4491824a45e4f2830902aea4bb3117d5ef3e502b8a73b53f24b6dd24d03efd05
Instruction Fuzzy Hash: AB715073A4A7829FC329CE6950800CAFFE2AF76111B54CA5EC4D693B43D170A61DCBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0043A060 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043A08D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 88eeb93891ae17a847663ab31721939bf60c68630b89fcb198b6b199ec170965
Instruction ID: 9a50006d6cad3f94e99b54735d9462dc4d335730d27e50b218e1d89611be95d3
Opcode Fuzzy Hash: 88eeb93891ae17a847663ab31721939bf60c68630b89fcb198b6b199ec170965
Instruction Fuzzy Hash: 41413075D09289AFCB05CBB988919FEFFB1AF6A200F4880D9D485B7352C2749604CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0FE Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00001004,?,0000007F), ref: 0041F124

Part of subcall function 0043F557: __wcstoi64.LIBCMT ref: 0043F54D

Part of subcall function 0041F168: _memset.LIBCMT ref: 0041F1C3
Part of subcall function 0041F168: _memset.LIBCMT ref: 0041F1D2
Part of subcall function 0041F168: _memset.LIBCMT ref: 0041F1E1

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset$InfoLocale__wcstoi64
String ID:
API String ID: 2822703429-0
Opcode ID: 158d38ff4b525a0fd99f45b2c0d7d5790e2f4b7cca7c2ecd90e5b10c85a88c8a
Instruction ID: 89e4e89a59ac48358f3d9c61824a73b98b8af0e17fe2c57a71af1809499820c5
Opcode Fuzzy Hash: 158d38ff4b525a0fd99f45b2c0d7d5790e2f4b7cca7c2ecd90e5b10c85a88c8a
Instruction Fuzzy Hash: 51F05E70945709AFE790DF759C06BEA77E8BB08704F50047EE58ADB181EAB4A9848F48

Uniqueness

Uniqueness Score: -1.00%

Function 00449993 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00049951), ref: 00449998

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 218f6063d97dc7998e4b0a3b0a53717a33ce01ae7fa99cfa9e5cebbb5e9a1d1b
Instruction ID: 7bf4760ad657c9bae1e3ab7c8bb625575873ab174034395021eca63b57dcc3aa
Opcode Fuzzy Hash: 218f6063d97dc7998e4b0a3b0a53717a33ce01ae7fa99cfa9e5cebbb5e9a1d1b
Instruction Fuzzy Hash: 0B9002B1655A01465A5027716D19B1B2DD05B5C61775204656041C8156DA94C4007559

Uniqueness

Uniqueness Score: -1.00%

Function 0040E300 Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

, xrefs: 0040E486

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 8f1cc1eaa6e63c68907c6d623f3496c1ca375fa78b51d1c34e072803b69f63eb
Instruction ID: 83f626478f620c76d0d527450d17edf3268bf0a98e779e0e5228a00bb0fdc727
Opcode Fuzzy Hash: 8f1cc1eaa6e63c68907c6d623f3496c1ca375fa78b51d1c34e072803b69f63eb
Instruction Fuzzy Hash: 39711632A1465287D718CF6EFCC050773A3EBD9342758CA35EE44C7266D674EA62C68C

Uniqueness

Uniqueness Score: -1.00%

Function 0043C762 Relevance: .9, Instructions: 910COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555cc2260394dce53b1381149b840c2c64056a8de71af9d029991dd1bc17966d
Instruction ID: 0ea362550cb6ee687708f52164db9714a835fdeb3b388311c3284555319d6571
Opcode Fuzzy Hash: 555cc2260394dce53b1381149b840c2c64056a8de71af9d029991dd1bc17966d
Instruction Fuzzy Hash: 609264B5E00604AFDB58DBB5C896AAFB7F8EF4C304F41485EA566DB241DA74BA00CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004323FD Relevance: .9, Instructions: 882COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b0359ed3682bd85d1e95683f2e7bfd9f3bc482f4764e967dbccd6c2b94006c
Instruction ID: 1d39b6c76f43a9248b48d8eb5423483ed93aa2ddf0bd25e623fd483dad1dd039
Opcode Fuzzy Hash: 35b0359ed3682bd85d1e95683f2e7bfd9f3bc482f4764e967dbccd6c2b94006c
Instruction Fuzzy Hash: 22927335D102798BDB0CCF55E89046EB7B2EB8A342B9F456EC64137296CA34B911CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 004331B6 Relevance: .9, Instructions: 872COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de3963b79fd19f1430a32af9f1b6903dff41cbe1bbf30dc8d8e599cb1df13827
Instruction ID: 434bc25f6e20fef7ff6ec8ee8ee08d97e2bee786d6ef12fbe28f7397306eac13
Opcode Fuzzy Hash: de3963b79fd19f1430a32af9f1b6903dff41cbe1bbf30dc8d8e599cb1df13827
Instruction Fuzzy Hash: 6692F6B092025ACFDB48CF69D4A06AEFBF0FB49341B460A7ED145EB652D7349A50CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0043D2DD Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2f6d459dc612497b8a5a027438922c0d3c36c343cd9962e5cd61e594cc1b75
Instruction ID: 6b22a096d91831ac95758970bb805bb30e1337e591af1fa201c878f9d89ddd16
Opcode Fuzzy Hash: 7b2f6d459dc612497b8a5a027438922c0d3c36c343cd9962e5cd61e594cc1b75
Instruction Fuzzy Hash: D682D875D00609EFDB18EFF5C999AAFBBB1FF48304F00895EA466A7251DB35A600DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00441A32 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 9709679a9d7268e12eeb8792fe2fe3a6b10c17e863c2f671e39c5f2c97ebfbc4
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 2DD19F73C0A9F30A9735812E44A823BEE626FC174132EC7E6CDD43F399D22A5D6195D4

Uniqueness

Uniqueness Score: -1.00%

Function 00441612 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: a78cc35cc9a4b6dad3d9da5fc7f0069d826abb50dc59cc9f2fad861cde678d33
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: 1FD1A173C0A9B30AA735812D50A823BEE626FD175132FC7E6CCD43F399D22A9D5185D4

Uniqueness

Uniqueness Score: -1.00%

Function 004112BA Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b43d5901d12017e2b3a7b99ebad0eac7f9da094789f82637c4a4d38607ac9f4
Instruction ID: ccb4b062690ac05c09b56ba7575a535ccef73d1156c9d8e97da8886fbdea227b
Opcode Fuzzy Hash: 0b43d5901d12017e2b3a7b99ebad0eac7f9da094789f82637c4a4d38607ac9f4
Instruction Fuzzy Hash: 5FE19D71900259CBCF19CF28C4906FE7BF2FF94304F14816AE9569B3A0E7389995CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441206 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 1aacb2c0926f30c9b83ed2bddc87643d69e49ed21b843a6c05a35531a867e18d
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: ACC1A073C0A9B30AA736812D409823BEE626FD174132FC7E6CCD43F399923A5D6185D4

Uniqueness

Uniqueness Score: -1.00%

Function 00440E32 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 3f263a61a8fce33d7e83803a541c148df2a421d6f33e9331a612a614fe3af307
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 40C1B273D0A9B30A9735822D409823BEE626FD174032EC7E6CDE43F389D63A9C6595D4

Uniqueness

Uniqueness Score: -1.00%

Function 0040F747 Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfc32db5714170dcda5b8b766f0e9e89a9549f6ee237d10d0f28e70dca73033
Instruction ID: be11005d6e181980f37f9beddc807430705feb298e64d130538f987c6147088b
Opcode Fuzzy Hash: ebfc32db5714170dcda5b8b766f0e9e89a9549f6ee237d10d0f28e70dca73033
Instruction Fuzzy Hash: 28D10F36600B408FD334DF29C480AA6B3E1BF89704B64493ED9D697BA1D779F84ACB04

Uniqueness

Uniqueness Score: -1.00%

Function 0043830F Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0b272695f3f9c5c7e5c0504678aa6f1356f260b6d75b4870e8fc24132dbc03
Instruction ID: 98a2b415a2812cbfc23a66633ec2d0e48ce371664962df747a949b53b067225a
Opcode Fuzzy Hash: 1f0b272695f3f9c5c7e5c0504678aa6f1356f260b6d75b4870e8fc24132dbc03
Instruction Fuzzy Hash: A2D1BC2940D7C1ADCB068F7840A44EBFFF06D6F200F4D65D9E8E44A707C214D616EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00434A97 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0ac9906b8a9d59372085cb4554bc23967648cf0504491a43c630b6657a5dbd
Instruction ID: aa5b0f6423530939324f38dd1bc89b3007b2455ed8155981c14bd54b9c52a788
Opcode Fuzzy Hash: ef0ac9906b8a9d59372085cb4554bc23967648cf0504491a43c630b6657a5dbd
Instruction Fuzzy Hash: 827138319012899BCF01DEB8C9805EFBBB5AF8D304F25266BE851E7242D739EE05C759

Uniqueness

Uniqueness Score: -1.00%

Function 004390E4 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b062ce0ff60de56ce906bd5ebb968a2f8ec28e3a68abcccbb960ffebc893af
Instruction ID: 4b8d2d0da7266f6937df6c6be015438cb1d0304045ea5f48937bccb7911d6291
Opcode Fuzzy Hash: 38b062ce0ff60de56ce906bd5ebb968a2f8ec28e3a68abcccbb960ffebc893af
Instruction Fuzzy Hash: 4E71083290068AABCF11DEB8C9805EF7B75AF4D304F24196BEC51A7282D779CE05C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00434868 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a65e7324bbbbfc0b52ed691ace2cc65dd49b54854b9e7afc48327dd70ec78139
Instruction ID: 5e7294333f477b804e9ec30b783f224519550215e6bf4c6c9c58aa1c8ea85f85
Opcode Fuzzy Hash: a65e7324bbbbfc0b52ed691ace2cc65dd49b54854b9e7afc48327dd70ec78139
Instruction Fuzzy Hash: 0671263190128D9BCF01EEB8C9815EFBBB5EF8D314F24156BE841E3242D639AE05C759

Uniqueness

Uniqueness Score: -1.00%

Function 00438EB6 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64a577377ac23ca529bd620e6379afe292692ca16f49098dfdf3a39997da5159
Instruction ID: f49662a70ae25c1259590c5bb00ca8841102100187d5892ba42928d44c6f4cb8
Opcode Fuzzy Hash: 64a577377ac23ca529bd620e6379afe292692ca16f49098dfdf3a39997da5159
Instruction Fuzzy Hash: 5F71373190128D9BCF05DEB8C9815EFBBB5AF4D304F24156AE840E7242DBB9CE45CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004386CB Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2410d9a9f52ec003b747a12593d9ea2cee68fdf4627e60d74de2653c326ec32f
Instruction ID: 02372268bce5262512ca4ae69c05a43378eefff299d530113c6cb3471bf619a4
Opcode Fuzzy Hash: 2410d9a9f52ec003b747a12593d9ea2cee68fdf4627e60d74de2653c326ec32f
Instruction Fuzzy Hash: 2E919CB59187429FCB50CF29C580A4AFBE0FF8D314F51892EF898DB601D734E9548B86

Uniqueness

Uniqueness Score: -1.00%

Function 00439A85 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782b640763aecf61fdb28d26229673e903dfe332e084ba1cf879ba77e25c2265
Instruction ID: 71cf7b6caa16897f969470ec2b6dcf675b019a00bb0cef7ca218a68a4f6660b9
Opcode Fuzzy Hash: 782b640763aecf61fdb28d26229673e903dfe332e084ba1cf879ba77e25c2265
Instruction Fuzzy Hash: 7D617F66C2DBD24EC343DA3A94510A6FBE04DF7090F44D78BF8E472992F352D28A5722

Uniqueness

Uniqueness Score: -1.00%

Function 00439EB2 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55bbab22f4817f380e48feb74b05980617678219eb44f21fa453d019c3b6e2e7
Instruction ID: f510a3c54e2bfe20a7beb0bbc5a6e903c4065d25837658b4ab61c926df4bd5e1
Opcode Fuzzy Hash: 55bbab22f4817f380e48feb74b05980617678219eb44f21fa453d019c3b6e2e7
Instruction Fuzzy Hash: 1F51B426D096899EDB01CB68C4D17DEBF729F6B208F5460C4C49817393D1B6620EEB51

Uniqueness

Uniqueness Score: -1.00%

Function 00433E23 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5592c564dba602920f734b6d66cdcd49e880bd8f20ca1b0d995223d6a7a6a749
Instruction ID: db09df9654c9aecaaac5eee5829dfaaf2d568e6c958dcfa07b2ea1ffb0708cb4
Opcode Fuzzy Hash: 5592c564dba602920f734b6d66cdcd49e880bd8f20ca1b0d995223d6a7a6a749
Instruction Fuzzy Hash: 7651F6B2D01618EFDB08CF89D88469DF7B2FF88315F6685AAC8157B351C770AA41CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00438A0F Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44d32de274c38e4dd627e5d8a01ebd0d1377500f4655278076547727d296c24e
Instruction ID: 8c87d3f79eb901cd832319f2f6190220ac6bfa4eb4b4c645c4f475ed919c806e
Opcode Fuzzy Hash: 44d32de274c38e4dd627e5d8a01ebd0d1377500f4655278076547727d296c24e
Instruction Fuzzy Hash: C141DEB190021A9FDB14DFA8C5809AEFBF0FF0C314F14856AE815AB241D738EA51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004408B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: ec9d0a18f84cad21bcc784ad98a91078f682d559ffa01dd8b15fa92ca04a6485
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: FA115BF724518243F604863EC9B46B7E796EBC632072C437BC3428B759C23AE9759908

Uniqueness

Uniqueness Score: -1.00%

Function 0043A2F5 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c1e56738578b916c3618c14c2a1d8ef0f7e358f729908a17fe76b9a0c2a5fd6
Instruction ID: 66b8a1276f8831be9867de1ed29f8991741a5ea0703c6a397c0c87422595cc58
Opcode Fuzzy Hash: 8c1e56738578b916c3618c14c2a1d8ef0f7e358f729908a17fe76b9a0c2a5fd6
Instruction Fuzzy Hash: 91F08C72C483499ACB149F6C84016DEBBE4AF09308F44809AC8DAE3341C236E507CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00406A0A Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F2), ref: 00406A79
_memset.LIBCMT ref: 00406A93
GetWindowTextW.USER32(00000000,?,00000104), ref: 00406AA6
EndDialog.USER32(?,00000001), ref: 00406ABC
GetDlgItem.USER32(?,000003F0), ref: 00406AD5
GetDlgItem.USER32(?,000003FA), ref: 00406AE1
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00406B07
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00406B1C
_memset.LIBCMT ref: 00406B36
PathCompactPathExW.SHLWAPI(?,?,00000028,00000000), ref: 00406B56
SetWindowTextW.USER32(?,?), ref: 00406B6B
SetWindowTextW.USER32(?,?), ref: 00406B8F
LoadIconW.USER32(00000000,00000065), ref: 00406B99
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00406BAA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ItemTextWindow$CriticalPathSection_memset$CompactDialogEnterIconLeaveLoadMessageSend
String ID:
API String ID: 4128035061-0
Opcode ID: 85fae9f679e42022cc7b8c32624fbdd38ada88dc68eaa6955dcd9d2b6cb034ca
Instruction ID: f092478ec133c74487e4ca1871de8ee24f511d73ebb376b8360eb1aca4963b8b
Opcode Fuzzy Hash: 85fae9f679e42022cc7b8c32624fbdd38ada88dc68eaa6955dcd9d2b6cb034ca
Instruction Fuzzy Hash: D951B071908344AFC710DF64DC49A6FBBE8FB88715F00092EF545A72A1DB78E9048B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BDC4 Relevance: 19.7, APIs: 13, Instructions: 178COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040BDCB

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0040BE0E

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

__aulldiv.LIBCMT ref: 0040BE18
~_Task_impl.LIBCPMT ref: 0040BFDA

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0040BE99
~_Task_impl.LIBCPMT ref: 0040BEBE
__aulldvrm.LIBCMT ref: 0040BED9
~_Task_impl.LIBCPMT ref: 0040BEF3
~_Task_impl.LIBCPMT ref: 0040BF2C
~_Task_impl.LIBCPMT ref: 0040BF6D
~_Task_impl.LIBCPMT ref: 0040BF78
~_Task_impl.LIBCPMT ref: 0040BFC0
~_Task_impl.LIBCPMT ref: 0040BFCE

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternalTask_impl$H_prolog3$BaseBase::~Concurrency::details::$__aulldiv__aulldvrm
String ID:
API String ID: 3645425728-0
Opcode ID: 461e82d39eb494737a39b010787dd2f6fe6b97edc756c7a2ccbf645fd06dabcb
Instruction ID: 6de5cf7d8f169f5145afff4ccc3840ea33d4ba513d7e0b6e486be0f03897002f
Opcode Fuzzy Hash: 461e82d39eb494737a39b010787dd2f6fe6b97edc756c7a2ccbf645fd06dabcb
Instruction Fuzzy Hash: 03716C70805248EACB11EBE5C981ADEFBB5AF14304F64816FF504B3281DB785A45CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00442E89 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,004649B8,0000000C,00442FC4,00000000,00000000,?,00443470,?,00000001,?,?,00446906,00000018,00464B88,0000000C), ref: 00442E9B
__crt_waiting_on_module_handle.LIBCMT ref: 00442EA6

Part of subcall function 00443633: Sleep.KERNEL32(000003E8,?,?,00442DAF,KERNEL32.DLL,?,00442E1B,?,0043E811), ref: 0044363F
Part of subcall function 00443633: GetModuleHandleW.KERNEL32(?,?,?,00442DAF,KERNEL32.DLL,?,00442E1B,?,0043E811), ref: 00443648

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00442ECF
GetProcAddress.KERNEL32(?,DecodePointer), ref: 00442EDF
__lock.LIBCMT ref: 00442F01
InterlockedIncrement.KERNEL32(0046A2B0), ref: 00442F0E
__lock.LIBCMT ref: 00442F22
___addlocaleref.LIBCMT ref: 00442F40

Strings

KERNEL32.DLL, xrefs: 00442E95, 00442E9A, 00442EA5
EncodePointer, xrefs: 00442EC3
DecodePointer, xrefs: 00442ED7

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 0ee181e5ec4e5ed518102d560495f94ee81f1bc0b3d93605128046e1148690b0
Instruction ID: d98a1fd25723ecff8a28b201bf586ab88bace2cf1470f18d9060b409fab193c1
Opcode Fuzzy Hash: 0ee181e5ec4e5ed518102d560495f94ee81f1bc0b3d93605128046e1148690b0
Instruction Fuzzy Hash: D0118470801B019FE710AF2AD90175BBBF0AF04715F50445FE499962A1CBB89645CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405146 Relevance: 18.1, APIs: 12, Instructions: 80timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040514D
KillTimer.USER32(?,00000000,0000004C,00405042), ref: 00405156
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00405162
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00405171
SetWindowTextW.USER32(00000000,?), ref: 004051A3
EnableWindow.USER32(?,00000001), ref: 004051AC
GetDlgItem.USER32(?,000003F0), ref: 00405183

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

GetDlgItem.USER32(?,000003F0), ref: 004051CD
SetWindowTextW.USER32(00000000,?), ref: 004051F0
EnableWindow.USER32(?,00000001), ref: 004051F9
PostMessageW.USER32(?,00000111,00000001,00000000), ref: 00405210
SetTimer.USER32(?,00000000,0000012C,00000000), ref: 00405237

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Window$CriticalEnableH_prolog3_ItemSectionTextTimer$EnterKillLeaveLoadMessagePostString_memset
String ID:
API String ID: 2605397802-0
Opcode ID: b5b8b419dd4f3ee970db8cfb15c1bf262541a38d3a34cfd078c17e6e35712af9
Instruction ID: 16fea842b008bdfeee44fa9a073261e3484eaa77f7e59c747711c610d908faab
Opcode Fuzzy Hash: b5b8b419dd4f3ee970db8cfb15c1bf262541a38d3a34cfd078c17e6e35712af9
Instruction Fuzzy Hash: 44218735D40604AFDB00ABE0AD99ABE7778EF05706F404439F601BA1D2C7B85D458F6E

Uniqueness

Uniqueness Score: -1.00%

Function 004048A0 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 383COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004048AA

Strings

%PROGRAMFILES%, xrefs: 0040494D
%TEMP%, xrefs: 004048FF
%WINDIR%, xrefs: 004048E9
pE, xrefs: 004049F1, 00404A02
%DESTDIR%, xrefs: 00404967
%APPDATA%, xrefs: 00404933
%HOMEPATH%, xrefs: 00404919
%DESKTOP%, xrefs: 00404981

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3_
String ID: pE$%APPDATA%$%DESKTOP%$%DESTDIR%$%HOMEPATH%$%PROGRAMFILES%$%TEMP%$%WINDIR%
API String ID: 2427045233-3388569860
Opcode ID: 10d8dd5ba57f96f657827178c115a8450af75288e3ab89f1313012d3903199e1
Instruction ID: 89812509410923b3798fdaa3b04139db37778d273e4b341b02cc58df668162e3
Opcode Fuzzy Hash: 10d8dd5ba57f96f657827178c115a8450af75288e3ab89f1313012d3903199e1
Instruction Fuzzy Hash: AFF18D719012589ADF20DBA1CD45BDEB774AF05308F1441EAF608B72D2DAB86F84CF96

Uniqueness

Uniqueness Score: -1.00%

Function 00406645 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040664F
_memset.LIBCMT ref: 0040666D
_memset.LIBCMT ref: 0040667F

Part of subcall function 004024CE: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 004024D8
Part of subcall function 004024CE: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 004024F1

_memset.LIBCMT ref: 004066BB

Part of subcall function 00401CEA: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00401CF2
Part of subcall function 00401CEA: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00401CFF

LoadStringW.USER32(00000000,000000A8,?,00000208), ref: 004066D6
75FED0D0.COMDLG32 ref: 00406725
GetDlgItem.USER32(?,00000F03), ref: 00406736
SetWindowTextW.USER32(00000000,?), ref: 00406743

Strings

X, xrefs: 00406701

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalSection$_memset$EnterLeave$H_prolog3_ItemLoadStringTextWindow
String ID: X
API String ID: 3999395921-3081909835
Opcode ID: ce6e4a428c0df159699edc2dd0f99c0cd412995fb6a3aeab0a08714258333dbd
Instruction ID: c97d7f9073ee2c6895bed41939ac1db2a69f451b9010f98ed15bd42601f2c2e4
Opcode Fuzzy Hash: ce6e4a428c0df159699edc2dd0f99c0cd412995fb6a3aeab0a08714258333dbd
Instruction Fuzzy Hash: 92219EB1D002289FDB10AF60CC49BCEB7B9AB84309F4045EAB508B3181D7799B948F54

Uniqueness

Uniqueness Score: -1.00%

Function 0043964F Relevance: 15.2, APIs: 10, Instructions: 154COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004396B5
_memset.LIBCMT ref: 0043977D
_memset.LIBCMT ref: 0043978C
_memset.LIBCMT ref: 00439795
_memset.LIBCMT ref: 004397A4
_memset.LIBCMT ref: 004397D5
_memset.LIBCMT ref: 004397E4
_memset.LIBCMT ref: 004397ED
_memset.LIBCMT ref: 004397FC
_memset.LIBCMT ref: 00439813

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: e74f58f76886b05d90e4de47fdddef4d4ce7cb6818af22895a9ccaa3cc75b48b
Instruction ID: 2b35144b6b4bb8a75dba9fa44d05cbf8526f3da09ce7a91c1a8180991dcf3ab7
Opcode Fuzzy Hash: e74f58f76886b05d90e4de47fdddef4d4ce7cb6818af22895a9ccaa3cc75b48b
Instruction Fuzzy Hash: B951B171910649ABD720DEB58C81BEBB7ECAF1C348F04081EF5E697281D2B8BA408765

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCF6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041FCFD
_wcslen.LIBCMT ref: 0041FD16
_wcscpy.LIBCMT ref: 0041FD37
_wcsrchr.LIBCMT ref: 0041FD41

Part of subcall function 00402D5E: _wcslen.LIBCMT ref: 00402D62

_wcslen.LIBCMT ref: 0041FD73
_wcslen.LIBCMT ref: 0041FDEA
_wcsrchr.LIBCMT ref: 0041FE04

Strings

|exe|com|scr|pif|pat|cmd|dll|, xrefs: 0041FDD0

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _wcslen$_wcsrchr$H_prolog3__wcscpy
String ID: |exe|com|scr|pif|pat|cmd|dll|
API String ID: 1207094621-1584199541
Opcode ID: 5f9dad6d220327f0ff555e867992245958084ba1485de8b35e9d00cd3b8f9b85
Instruction ID: 868d4d8cd7acafc5a32821e89b1a2875270b5fa065d1683ef6b37312e2cb0964
Opcode Fuzzy Hash: 5f9dad6d220327f0ff555e867992245958084ba1485de8b35e9d00cd3b8f9b85
Instruction Fuzzy Hash: 74418332C00219ABDF14ABA5ED42ADEB7B8EF04318F24402BF511B71B1EB789945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042E9DE Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042E9E8
_memset.LIBCMT ref: 0042EA2B

Part of subcall function 004013B7: _wcslen.LIBCMT ref: 004013BE

swprintf.LIBCMT ref: 0042EA53

Part of subcall function 0044079E: __vswprintf_s_l.LIBCMT ref: 004407B2

CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,0046027C), ref: 0042EA77
OpenEventW.KERNEL32(00100000,00000001,00000000,?,?,?,0046027C), ref: 0042EA88
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,0046027C), ref: 0042EA97
OpenEventW.KERNEL32(00100000,00000001,00000000,?,?,?,0046027C), ref: 0042EAA8

Strings

Anti_%s, xrefs: 0042EA42

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Event$CreateOpen$H_prolog3___vswprintf_s_l_memset_wcslenswprintf
String ID: Anti_%s
API String ID: 3896401880-1099802867
Opcode ID: 35a71c8ed71cea3297d429245cedaeed057e36c69503f9a87de2d867024ed752
Instruction ID: 0cf8a383aeb7055d5f396e25c6cb79881359ae267809a1945403a7cdfd78cb12
Opcode Fuzzy Hash: 35a71c8ed71cea3297d429245cedaeed057e36c69503f9a87de2d867024ed752
Instruction Fuzzy Hash: 5C21D8B1940319BEEB00EF718CC5BDA7668BF18708F10846BF604B71D1E7B89D844B94

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC62 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 0041FC74
__wcsicoll.LIBCMT ref: 0041FC96
__wcsicoll.LIBCMT ref: 0041FCB9

Strings

.pif, xrefs: 0041FCD6
.bat, xrefs: 0041FCB3
.lnk, xrefs: 0041FC6E
.scr, xrefs: 0041FC90

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __wcsicoll
String ID: .bat$.lnk$.pif$.scr
API String ID: 3832890014-3858101065
Opcode ID: c23e03f286416fbad75b508e0ed0ccd60f084649aab64887b9fb8e1ceb0fe53c
Instruction ID: b5db54f6088c41b32f7b9a11ec371a4bcd0c7c97d380799355ade207b1382448
Opcode Fuzzy Hash: c23e03f286416fbad75b508e0ed0ccd60f084649aab64887b9fb8e1ceb0fe53c
Instruction Fuzzy Hash: 22019E3114A74A84F235613459AABEBAAC47B92718F24003FDCDB41291FB6C64AB604E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6DC Relevance: 13.7, APIs: 9, Instructions: 202COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C6E3
~_Task_impl.LIBCPMT ref: 0040C75B

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 00416A64: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416AC4
Part of subcall function 00416A64: ~_Task_impl.LIBCPMT ref: 00416AE1

~_Task_impl.LIBCPMT ref: 0040C7CD

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

~_Task_impl.LIBCPMT ref: 0040C7C1

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

~_Task_impl.LIBCPMT ref: 0040C961
~_Task_impl.LIBCPMT ref: 0040C74F

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

~_Task_impl.LIBCPMT ref: 0040C815
~_Task_impl.LIBCPMT ref: 0040C821

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0040C96D

Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175E0
Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175FC

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$Task_impl$BaseBase::~Concurrency::details::$H_prolog3$H_prolog3_
String ID:
API String ID: 1485957940-0
Opcode ID: 42a01046490967c14964673164fcbb36c39b4e5e7a7f6876bd072d9932d0f288
Instruction ID: eff41e0ae5b12a3ab500ca653aa4a7a0763c201d7cb7ede61860280d69d82ecd
Opcode Fuzzy Hash: 42a01046490967c14964673164fcbb36c39b4e5e7a7f6876bd072d9932d0f288
Instruction Fuzzy Hash: 02916F71801209EFCF01EF94C491BEDBBB5BF18304F14416AE9057B292DB78AA85DF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2C3 Relevance: 13.7, APIs: 9, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C2CA
~_Task_impl.LIBCPMT ref: 0040C342

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 00416A64: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416AC4
Part of subcall function 00416A64: ~_Task_impl.LIBCPMT ref: 00416AE1

Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175E0
Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175FC

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0040C3AB

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

~_Task_impl.LIBCPMT ref: 0040C39F

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

~_Task_impl.LIBCPMT ref: 0040C336

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

~_Task_impl.LIBCPMT ref: 0040C402
~_Task_impl.LIBCPMT ref: 0040C40E
~_Task_impl.LIBCPMT ref: 0040C4F9
~_Task_impl.LIBCPMT ref: 0040C505

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$Task_impl$BaseBase::~Concurrency::details::H_prolog3
String ID:
API String ID: 3832468939-0
Opcode ID: 3f181a0e94a657a32aefcc87af5c7c2d8eda59962f08b2d2a8a1af005701e768
Instruction ID: 04552d86dac3943a131ee1038ee3aad7a785cb4708231961ba9ebeaa31e15916
Opcode Fuzzy Hash: 3f181a0e94a657a32aefcc87af5c7c2d8eda59962f08b2d2a8a1af005701e768
Instruction Fuzzy Hash: 7671C370805248DECF10EFA4C1957EDBBB4AF18308F54806EE8457B282DB789F49DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0A4 Relevance: 13.7, APIs: 9, Instructions: 167COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040C0AB

Part of subcall function 00416A64: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416AC4
Part of subcall function 00416A64: ~_Task_impl.LIBCPMT ref: 00416AE1

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0040C116

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175E0
Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175FC

~_Task_impl.LIBCPMT ref: 0040C2B3

Part of subcall function 00416CA1: ~_Task_impl.LIBCPMT ref: 00416CBA

__aulldiv.LIBCMT ref: 0040C173
__aulldvrm.LIBCMT ref: 0040C18F
~_Task_impl.LIBCPMT ref: 0040C1F6
~_Task_impl.LIBCPMT ref: 0040C201
~_Task_impl.LIBCPMT ref: 0040C24E
~_Task_impl.LIBCPMT ref: 0040C259

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Task_impl$ContextExternal$BaseBase::~Concurrency::details::H_prolog3$__aulldiv__aulldvrm
String ID:
API String ID: 785539728-0
Opcode ID: eee2511cf54b430e421d2a641b31d6f1601adf5062c95f7e85faf3ea996594e9
Instruction ID: f4426efc53ffe4305bf7800513cae526124559ee913c4b1df191f3fc7bfec984
Opcode Fuzzy Hash: eee2511cf54b430e421d2a641b31d6f1601adf5062c95f7e85faf3ea996594e9
Instruction Fuzzy Hash: 9D614C70D0111AEFCF04DBE5C881AEEBBB5BF48318F14412EE414B7281D7789A55DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00407361 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040736B
SHGetMalloc.SHELL32(?), ref: 00407379
SHBrowseForFolderW.SHELL32 ref: 004073ED
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00407405
GetDlgItem.USER32(?,000003E8), ref: 00407415
SetWindowTextW.USER32(00000000,?), ref: 00407423

Strings

@, xrefs: 004073D7

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: BrowseFolderFromH_prolog3_ItemListMallocPathTextWindow
String ID: @
API String ID: 1883693206-2766056989
Opcode ID: c6e2f8b0e4c42a81da26c09d54589962973070651ebbedb6706efcca69c046bc
Instruction ID: fa59ab96ac5d1197279c403a8771da55510f0c260f3e7aa129da7c12dabf02e2
Opcode Fuzzy Hash: c6e2f8b0e4c42a81da26c09d54589962973070651ebbedb6706efcca69c046bc
Instruction Fuzzy Hash: F83154B0D006189FDB60DF65CD84B9DB7B8AB44305F4000FAAA09A7251DB789E85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00401AF1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00401AF8
RtlInitializeCriticalSection.NTDLL(0046D37C), ref: 00401B1E
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00401B45

Part of subcall function 00401AA6: __EH_prolog3.LIBCMT ref: 00401AAD

Part of subcall function 0041B1EF: __EH_prolog3.LIBCMT ref: 0041B1F6

Strings

~}3, xrefs: 00401C08
d8@, xrefs: 00401B30
~}3, xrefs: 00401BFC
HpE, xrefs: 00401AFD

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$CreateCriticalEventInitializeSection
String ID: HpE$d8@$~}3$~}3
API String ID: 4096329014-46719259
Opcode ID: 1fb5e4ffbf66790e775ef7bc1d37d0df9a6ee94a06c4f00fa2a22fe4547049eb
Instruction ID: 224e6281f1d8eb1d81f0cab5732f56c9ea292a43e7947ef120ba0b95a6336a39
Opcode Fuzzy Hash: 1fb5e4ffbf66790e775ef7bc1d37d0df9a6ee94a06c4f00fa2a22fe4547049eb
Instruction Fuzzy Hash: 2421CDF0F152609EC300AF6AAD411093AA8EB49B45715403FF90897361FBF858858F9F

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1D4 Relevance: 10.7, APIs: 7, Instructions: 181COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040D1DB

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0040D23E

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

_memcpy_s.LIBCMT ref: 0040D287
_memcpy_s.LIBCMT ref: 0040D2B9
_memcpy_s.LIBCMT ref: 0040D2F4
_memcpy_s.LIBCMT ref: 0040D307
~_Task_impl.LIBCPMT ref: 0040D3E3

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$_memcpy_s$BaseBase::~Concurrency::details::H_prolog3$Task_impl$H_prolog3_
String ID:
API String ID: 2867354398-0
Opcode ID: 5a7ae148b304c2ff6d5206eedb4da12cde4d923a61817e6225b55e7776d71b5a
Instruction ID: 644935d94622af2a1bb44ed62754b19383f141f992d414a1fd6b3b21b0ba617d
Opcode Fuzzy Hash: 5a7ae148b304c2ff6d5206eedb4da12cde4d923a61817e6225b55e7776d71b5a
Instruction Fuzzy Hash: 1A713C71D102189EDF21EFE9C885BDDBBB8BF08304F14005AE905BB292DB789949CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406596 Relevance: 10.6, APIs: 7, Instructions: 58windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040659D
GetDlgItem.USER32(?,00000F03), ref: 004065AE

Part of subcall function 004024CE: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 004024D8
Part of subcall function 004024CE: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 004024F1

SetWindowTextW.USER32(?,?), ref: 004065E7
SendMessageW.USER32(?,00000007,00000000,00000000), ref: 004065FA
SendMessageW.USER32(?,00000437,00000000,?), ref: 00406612
LoadIconW.USER32(00000000,00000065), ref: 0040661C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0040662C

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: MessageSend$CriticalSection$EnterH_prolog3_IconItemLeaveLoadTextWindow
String ID:
API String ID: 1109778719-0
Opcode ID: cb5b31b88f434df52cecfe2312d03450dfd16ae1e43574abfc8bce4876b97835
Instruction ID: 9f3fef25f27dea73841c27482311e6ab953fd544b8be31692d42e3448e1b52f6
Opcode Fuzzy Hash: cb5b31b88f434df52cecfe2312d03450dfd16ae1e43574abfc8bce4876b97835
Instruction Fuzzy Hash: DE11B475D01208ABDF10EFA5ED49DAEBAB8FF44701F50442AF900B72A1CB789A05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0044A85F Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 0044A887

Part of subcall function 004425F6: __getptd.LIBCMT ref: 00442604
Part of subcall function 004425F6: __getptd.LIBCMT ref: 00442612

__getptd.LIBCMT ref: 0044A891

Part of subcall function 00442FE9: __getptd_noexit.LIBCMT ref: 00442FEC
Part of subcall function 00442FE9: __amsg_exit.LIBCMT ref: 00442FF9

__getptd.LIBCMT ref: 0044A89F
__getptd.LIBCMT ref: 0044A8AD
__getptd.LIBCMT ref: 0044A8B8
_CallCatchBlock2.LIBCMT ref: 0044A8DE

Part of subcall function 0044269B: __CallSettingFrame@12.LIBCMT ref: 004426E7

Part of subcall function 0044A985: __getptd.LIBCMT ref: 0044A994
Part of subcall function 0044A985: __getptd.LIBCMT ref: 0044A9A2

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 037325c11ed2f6c113bbb59e558177b44415e06d6e19bbefb16d21ce96c9778e
Instruction ID: 3740a0d705ae0ae49e4c21e1aea684132753d3fca633403e1697f9b9b249138b
Opcode Fuzzy Hash: 037325c11ed2f6c113bbb59e558177b44415e06d6e19bbefb16d21ce96c9778e
Instruction Fuzzy Hash: 691107B1C00209DFEB00EFA5D946AAD7BB0FF08315F51806AF814A7251DB789A159F69

Uniqueness

Uniqueness Score: -1.00%

Function 00413075 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 267COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041307F
_wcslen.LIBCMT ref: 004130AA
_wcslen.LIBCMT ref: 004130C1

Part of subcall function 00413B95: _memmove_s.LIBCMT ref: 00413BD1

Part of subcall function 0043E277: _malloc.LIBCMT ref: 0043E291

Strings

..\, xrefs: 004130A4, 004130A9, 004130BA, 004130DD
__\, xrefs: 004132DF

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _wcslen$H_prolog3__malloc_memmove_s
String ID: ..\$__\
API String ID: 2376997039-3588609683
Opcode ID: db9acb81265b8c5b41a1122ea065f31843279db8baf119d52b68015c14ceb194
Instruction ID: 8b41afdeac141db5019ad30078342311178dee5fe37dfcacca31974cce8910ab
Opcode Fuzzy Hash: db9acb81265b8c5b41a1122ea065f31843279db8baf119d52b68015c14ceb194
Instruction Fuzzy Hash: 21B1F871D002199FCF10EFA5C981ADDB7B5BF08309F5040AAE919B7262DB34AE85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004170B3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 004170E4
__CxxThrowException@8.LIBCMT ref: 004170F9
std::_String_base::_Xlen.LIBCPMT ref: 00417146

Part of subcall function 0043E277: _malloc.LIBCMT ref: 0043E291

Strings

%YA, xrefs: 004170E1, 004170EE, 004170F1

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Exception@8String_base::_ThrowXlen_mallocstd::_std::exception::exception
String ID: %YA
API String ID: 1448684856-2875574786
Opcode ID: 1c89118e8782c817023a245a5662ec6a726f0b008d27329da9e9135c38a9dabf
Instruction ID: 826aee14aba2dada2e0c0d6d914aec1c90e4a6fe3c02c31b16448a151633a2fd
Opcode Fuzzy Hash: 1c89118e8782c817023a245a5662ec6a726f0b008d27329da9e9135c38a9dabf
Instruction Fuzzy Hash: 4061AE71B04209AFCB08DFB8C5819AEB7B5FB48310B14866AF806D7345D774EE92CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD89 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040AD90
~_Task_impl.LIBCPMT ref: 0040AEFC
~_Task_impl.LIBCPMT ref: 0040AF1D

Strings

@, xrefs: 0040AE71
, xrefs: 0040AE4D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID: $@
API String ID: 1204490572-1077428164
Opcode ID: f938a21673830a58c09ec0d7948e57403bae038911eb82e195e49afc5d475ba6
Instruction ID: 373a1f9600140a49ee3458ea33e3d4ec4bb889b64512913e1dbc6d79c785f90a
Opcode Fuzzy Hash: f938a21673830a58c09ec0d7948e57403bae038911eb82e195e49afc5d475ba6
Instruction Fuzzy Hash: 77518571E0030A9FDF15DBA4C581BEEBBB5BF08308F10402AE205B72D1D7789A95CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00402589 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00402590
RtlEnterCriticalSection.NTDLL(0046D37C), ref: 0040259A
GetFileAttributesW.KERNEL32(?,00000001,00000000,00000000), ref: 0040266A
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 0040271E

Part of subcall function 004041EB: GetFileAttributesW.KERNEL32(?,00402684), ref: 004041EC
Part of subcall function 004041EB: SetFileAttributesW.KERNEL32(?,00000000), ref: 004041FB
Part of subcall function 004041EB: DeleteFileW.KERNEL32(?), ref: 00404202

Strings

, xrefs: 004026BC

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$Attributes$CriticalSection$DeleteEnterH_prolog3_Leave
String ID:
API String ID: 2863415744-3916222277
Opcode ID: 565cde79d5bf2fcdf3ec13553962e35467164625bf64d2f394189d5fd83d9e7e
Instruction ID: 4312e7856121fa19712d5fec8fb0b2f6e7f99b3189bca04f92570018e8eef9b4
Opcode Fuzzy Hash: 565cde79d5bf2fcdf3ec13553962e35467164625bf64d2f394189d5fd83d9e7e
Instruction Fuzzy Hash: A2415D71D00208EBDF11EBA5DE49ADDBB74AF54314F20042BF401B32E1DBB96A46CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0044BC59 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0044BC8D
__isleadbyte_l.LIBCMT ref: 0044BCC1
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000001,00000000,?,?,?,?,?,00000001), ref: 0044BCF2
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000001,00000000,?,?,?,?,?,00000001), ref: 0044BD60

Strings

HA@, xrefs: 0044BC5B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: HA@
API String ID: 3058430110-511064766
Opcode ID: 875b578988ed47721630309d655be91a1d1c4720da4d2d6528e0cd90c0d70720
Instruction ID: ca627bc45d7ef0780ad45458da5c961b52dda9ff06ddcf591da8031d59a17a4a
Opcode Fuzzy Hash: 875b578988ed47721630309d655be91a1d1c4720da4d2d6528e0cd90c0d70720
Instruction Fuzzy Hash: C231AE31A00246EFFB20DFA4C8C0ABE7BA5EF05311B1445AEE4918B291DB34DD51DBD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405507 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0046D37C), ref: 0040552A
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00405537
EndDialog.USER32(?,00000001), ref: 004055A0

Part of subcall function 00402A2E: __EH_prolog3_GS.LIBCMT ref: 00402A38
Part of subcall function 00402A2E: _memset.LIBCMT ref: 00402A76
Part of subcall function 00402A2E: LoadStringW.USER32(?,?,00000208), ref: 00402A93

Part of subcall function 0040274D: RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00402754
Part of subcall function 0040274D: ResetEvent.KERNEL32(?,00406579), ref: 0040276A
Part of subcall function 0040274D: RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00402779

MessageBoxW.USER32(?,?,ALZip Self-Extractor,00000044), ref: 0040556B

Strings

ALZip Self-Extractor, xrefs: 00405564

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DialogEventH_prolog3_LoadMessageResetString_memset
String ID: ALZip Self-Extractor
API String ID: 3440476444-1641417939
Opcode ID: 3b98b675ac9ad2cfabaa79d9f81b076a09bbfee098f7cf1fe62e0f36a2991211
Instruction ID: 471963ea7f7e2ccfc45a4f44b60177944b494bddcf1d6ac204b8d3bcb8039de2
Opcode Fuzzy Hash: 3b98b675ac9ad2cfabaa79d9f81b076a09bbfee098f7cf1fe62e0f36a2991211
Instruction Fuzzy Hash: 30115475E00614ABCB10ABA5DC49EEEB7B4EF08715F00406AF506B31D1DBB899458FAE

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 0044AC1F

Part of subcall function 0044AB7A: ___BuildCatchObjectHelper.LIBCMT ref: 0044ABB0

_UnwindNestedFrames.LIBCMT ref: 0044AC36
___FrameUnwindToState.LIBCMT ref: 0044AC44

Strings

,MF, xrefs: 0044AC0E
csm, xrefs: 0044AC1B, 0044AC30, 0044AC43, 0044AC61, 0044AC71

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: ,MF$csm
API String ID: 2163707966-3227229043
Opcode ID: 5c8f2af7e9ab93918b85453fa262e85abb9d9f7666176a4a2f4df9a01d61c6cb
Instruction ID: 4dd1093d2e8111e5b8b22beb7b08503d1f336e95291445bca5321acc57fa5882
Opcode Fuzzy Hash: 5c8f2af7e9ab93918b85453fa262e85abb9d9f7666176a4a2f4df9a01d61c6cb
Instruction Fuzzy Hash: 6F016D71040109BBEF226F51CE85EEB7F6AEF08344F00401AFD0815121D77AD9B1DBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0044A5AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0044A5C8

Part of subcall function 00442FE9: __getptd_noexit.LIBCMT ref: 00442FEC
Part of subcall function 00442FE9: __amsg_exit.LIBCMT ref: 00442FF9

__getptd.LIBCMT ref: 0044A5D9
__getptd.LIBCMT ref: 0044A5E7

Strings

csm, xrefs: 0044A5C1
MOC, xrefs: 0044A5BA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: MOC$csm
API String ID: 803148776-1389381023
Opcode ID: 3df8ee8ec52dc9dc70640ef6389d78f4495cc6174d440821b0166b1fa47fe7ed
Instruction ID: e484c1bf3ea00cb790a951f8a026827c86af996de617958322c76dd2f60bd679
Opcode Fuzzy Hash: 3df8ee8ec52dc9dc70640ef6389d78f4495cc6174d440821b0166b1fa47fe7ed
Instruction Fuzzy Hash: 33E0DF310002049FF750ABA4C646B6D33A0FB48318F9500A7F00CC7722C7BCE890A65F

Uniqueness

Uniqueness Score: -1.00%

Function 0041EBA5 Relevance: 7.6, APIs: 5, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041EBAC
VirtualQuery.KERNEL32(?,?,0000001C,0000004C,0041EA9B,Kernel32.dll,?,0041E7D6,0041E7D6), ref: 0041ECE3
VirtualProtect.KERNEL32(?,?,00000004,?), ref: 0041ECF5
SetLastErrorEx.USER32(00000006,00000001), ref: 0041ECFF
VirtualProtect.KERNEL32(?,?,?,?), ref: 0041ED1B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Virtual$Protect$ErrorH_prolog3LastQuery
String ID:
API String ID: 570981605-0
Opcode ID: 65fdf69990a946e7919c5bdb395373328b77ecf30fedffd860835dd2c8197bc7
Instruction ID: 94a23f2daef97fc16d14d93dba0e8a61d25fdfc7a325e66e3fcf56ba6ca204e1
Opcode Fuzzy Hash: 65fdf69990a946e7919c5bdb395373328b77ecf30fedffd860835dd2c8197bc7
Instruction Fuzzy Hash: F9512A75D0021ADFDF10DF9AD880AEEB7B1BF08315F14402AE915B7291D778A981CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00416B5B Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

Part of subcall function 00416847: __EH_prolog3.LIBCMT ref: 0041684E
Part of subcall function 00416847: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041687E

Part of subcall function 0041688D: __EH_prolog3.LIBCMT ref: 00416894
Part of subcall function 0041688D: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004168C4

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416C43

Part of subcall function 0041DD34: __EH_prolog3.LIBCMT ref: 0041DD3B

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416C51

Part of subcall function 0041E38C: __EH_prolog3.LIBCMT ref: 0041E393

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416C5F
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416C6D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416C7B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::$H_prolog3
String ID:
API String ID: 3591412279-0
Opcode ID: 15aace48c2e27e40484a496d2c03ca2b6d15d76e1c3a1ef29eab739b51e64e66
Instruction ID: 0cc3dd9330bc14031470f257f5de990838e950f7e3da5ab8940743d19acb8a32
Opcode Fuzzy Hash: 15aace48c2e27e40484a496d2c03ca2b6d15d76e1c3a1ef29eab739b51e64e66
Instruction Fuzzy Hash: C631A9711482805BD311F776D806B9FBBE89B96768F000A6FF995931C3DB6C9D04C267

Uniqueness

Uniqueness Score: -1.00%

Function 00408627 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00408631
_memset.LIBCMT ref: 0040866D
_memset.LIBCMT ref: 00408688
__i64tow_s.LIBCMT ref: 0040869E

Part of subcall function 0043F50C: @x64tow_s@24.LIBCMT ref: 0043F539

_wcslen.LIBCMT ref: 004086AA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _memset$@x64tow_s@24H_prolog3___i64tow_s_wcslen
String ID:
API String ID: 291666582-0
Opcode ID: afe6c4f9a08a250915f8fde85b847d3df8819c973d92f74d55384bc27cbc58da
Instruction ID: cf9c3ecff213bbf401a964135294bd73bd750e54b7dcd1782100650e97086491
Opcode Fuzzy Hash: afe6c4f9a08a250915f8fde85b847d3df8819c973d92f74d55384bc27cbc58da
Instruction Fuzzy Hash: B031487591022C9ACB20AF95CC81BDEB2B4BF44B04F0095EBA988A7251DB745F80CFC8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCF7 Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0040BD05

Part of subcall function 0043FA7B: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0040BD0A,00000000,?,00000000,?,?,?,?,?,?,?,0040C06D), ref: 0043FA86
Part of subcall function 0043FA7B: __aulldiv.LIBCMT ref: 0043FAA6

Part of subcall function 0043FA10: __getptd.LIBCMT ref: 0043FA15

_rand.LIBCMT ref: 0040BD1E

Part of subcall function 0043FA22: __getptd.LIBCMT ref: 0043FA22

_rand.LIBCMT ref: 0040BD38
_rand.LIBCMT ref: 0040BD54
_rand.LIBCMT ref: 0040BD70

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: _rand$Time__getptd$FileSystem__aulldiv__time64
String ID:
API String ID: 3177928082-0
Opcode ID: 91fa5f4bde76b24554e9b0fd7d97363898b49e32f75485ec14a3fc9de959230c
Instruction ID: ff1a745d962dd6234f389f5e685d826f83d79bfc4e9d0658b06f278ef20ffd06
Opcode Fuzzy Hash: 91fa5f4bde76b24554e9b0fd7d97363898b49e32f75485ec14a3fc9de959230c
Instruction Fuzzy Hash: 58115E33A2091616E310AAB99C0126672C5EFD5338F15173FFDACA72D2D63C484541ED

Uniqueness

Uniqueness Score: -1.00%

Function 004452EF Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004452FB

Part of subcall function 00442FE9: __getptd_noexit.LIBCMT ref: 00442FEC
Part of subcall function 00442FE9: __amsg_exit.LIBCMT ref: 00442FF9

__amsg_exit.LIBCMT ref: 0044531B
__lock.LIBCMT ref: 0044532B
InterlockedDecrement.KERNEL32(?), ref: 00445348
InterlockedIncrement.KERNEL32(02302D00), ref: 00445373

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 78bc3618ddd09aef6fafce452ab13fd8b1d9a8cb56f934af84e023166b2a010d
Instruction ID: 84e7191920043a7197f39c3cbd69678d18c95e3365c759a52207c568fd34423d
Opcode Fuzzy Hash: 78bc3618ddd09aef6fafce452ab13fd8b1d9a8cb56f934af84e023166b2a010d
Instruction Fuzzy Hash: 7B018E32901F11ABEF21AF6AA40575E7360BF04BA5F04001BF810A7292C7AC9951DFDE

Uniqueness

Uniqueness Score: -1.00%

Function 0042C56B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042C572
~_Task_impl.LIBCPMT ref: 0042C5C5
~_Task_impl.LIBCPMT ref: 0042C5D1
~_Task_impl.LIBCPMT ref: 0042C5DD
~_Task_impl.LIBCPMT ref: 0042C5E9

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Task_impl$H_prolog3
String ID:
API String ID: 1204490572-0
Opcode ID: 2fd22a28cd6030e5622c5a3aa8e0d93c00883349e47ab552c5db457d174edc9b
Instruction ID: ed01e4c37a7b51d4d1214c879ed182fcf5116548b7ada4532143a61967068765
Opcode Fuzzy Hash: 2fd22a28cd6030e5622c5a3aa8e0d93c00883349e47ab552c5db457d174edc9b
Instruction Fuzzy Hash: CD01E130501744DAE711FBB2C5417CEB7A06F24308F90884EE49A13282EF786B48C76A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A8EE Relevance: 7.5, APIs: 5, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042A8F5
~_Task_impl.LIBCPMT ref: 0042A90F

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

~_Task_impl.LIBCPMT ref: 0042A91B

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

~_Task_impl.LIBCPMT ref: 0042A927

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

~_Task_impl.LIBCPMT ref: 0042A933

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 0042081A: __EH_prolog3.LIBCMT ref: 00420821
Part of subcall function 0042081A: ~_Task_impl.LIBCPMT ref: 0042083B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$H_prolog3$Task_impl$BaseBase::~Concurrency::details::
String ID:
API String ID: 955762131-0
Opcode ID: c1405ad1c235bfb1f82d49fc1e0c5ebc055ad1cc7e6c075182973ec2b700ae0c
Instruction ID: 0014742cf07b321e29da727027317060f420ee9bd4e854571a50f9ca543b6f64
Opcode Fuzzy Hash: c1405ad1c235bfb1f82d49fc1e0c5ebc055ad1cc7e6c075182973ec2b700ae0c
Instruction Fuzzy Hash: 1CF06770405694DED711FBA5C25178DFBE46F18308F90848EE58613682DBBC6A48972A

Uniqueness

Uniqueness Score: -1.00%

Function 004219BB Relevance: 7.5, APIs: 5, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004219C2
~_Task_impl.LIBCPMT ref: 004219D4

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

~_Task_impl.LIBCPMT ref: 004219E0

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

~_Task_impl.LIBCPMT ref: 004219EC

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

~_Task_impl.LIBCPMT ref: 004219F7

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$H_prolog3$BaseBase::~Concurrency::details::Task_impl
String ID:
API String ID: 2784628925-0
Opcode ID: bde16b9a8c0d2e2fa34034a6bafbdab424764ff328371657bf470a3c3a62037d
Instruction ID: 03b40bc48b9629c10e6e557975a55f1c597e197f10b28b8c9b675afc985e6e02
Opcode Fuzzy Hash: bde16b9a8c0d2e2fa34034a6bafbdab424764ff328371657bf470a3c3a62037d
Instruction Fuzzy Hash: 8EE09274501744DADB15FBA6C2027DDBB706F14318F50814EE452172C3DB785B88D76A

Uniqueness

Uniqueness Score: -1.00%

Function 00407B5D Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 203COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00407B67

Part of subcall function 004035F7: std::_String_base::_Xlen.LIBCPMT ref: 00403630

_wcslen.LIBCMT ref: 00407C7D

Strings

/, xrefs: 00407B97
, xrefs: 00407D8B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3_String_base::_Xlen_wcslenstd::_
String ID: $/
API String ID: 781070004-2637513485
Opcode ID: f9cc981b204faada10a15d4e1e7f8bbfa6e427c0c64561c5d4e8847c52bcf933
Instruction ID: c03a2412b405caaf7ceb9b49ca34e629e8e88464053507a8947a4f4999880cc0
Opcode Fuzzy Hash: f9cc981b204faada10a15d4e1e7f8bbfa6e427c0c64561c5d4e8847c52bcf933
Instruction Fuzzy Hash: 40815D71D00218EADF21EBA5CD41BDDB7B9AF05308F1040AEE504B71D2CB786A89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00408FC2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00408FCC
_memset.LIBCMT ref: 00408FF4

Part of subcall function 0041B1EF: __EH_prolog3.LIBCMT ref: 0041B1F6

Part of subcall function 00408F50: __EH_prolog3.LIBCMT ref: 00408F57

CreateDirectoryW.KERNEL32(?,00000000), ref: 0040916D

Strings

, xrefs: 00409123

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$CreateDirectoryH_prolog3__memset
String ID:
API String ID: 1337434558-3916222277
Opcode ID: 99dc8ddd17d55bd83f03f83a8a0871248ebd7c9e23bce9817a0909e78cb56283
Instruction ID: 248712948781d7bee9fbe3fd8c0b5f5771086fdc1c603c29424be3ddbefa2347
Opcode Fuzzy Hash: 99dc8ddd17d55bd83f03f83a8a0871248ebd7c9e23bce9817a0909e78cb56283
Instruction Fuzzy Hash: F5511B71D052299ADF20EF65CD89BDEB7B8AB04304F1001EAE508B7291DB78AF84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041F04A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041F051

Part of subcall function 00420AC6: __EH_prolog3.LIBCMT ref: 00420ACD

Part of subcall function 0041D527: __EH_prolog3.LIBCMT ref: 0041D52E

~_Task_impl.LIBCPMT ref: 0041F0E0

Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917
Part of subcall function 00416910: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416936

~_Task_impl.LIBCPMT ref: 0041F0EC

Strings

EA, xrefs: 0041F05B

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ContextExternalTask_impl$BaseBase::~Concurrency::details::
String ID: EA
API String ID: 2350445212-1184852372
Opcode ID: 971a07678716803d42b4dddf1fa94e13d0632f07d9e6ed499db8f1853d33a3ca
Instruction ID: e063da5e1e934e61e0954e9a2f31bfc6a800ebdbda6208309bf7f98b30ae4770
Opcode Fuzzy Hash: 971a07678716803d42b4dddf1fa94e13d0632f07d9e6ed499db8f1853d33a3ca
Instruction Fuzzy Hash: A8115A70502744DAD710FBB5C2067CEBBE46F24308F90485EA09623282DFB8274CCB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0044E57F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0044D970), ref: 0044E584
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0044E594

Strings

KERNEL32, xrefs: 0044E57F
IsProcessorFeaturePresent, xrefs: 0044E58E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 01c8bc9742624e4265bbedcc6c3e9e909c83d08e290bfc3679eaa2c4e7004593
Instruction ID: 15ccf9716c4986a3b4df78ecb24a1f580b978f93c54c7f1f34a83364263a8082
Opcode Fuzzy Hash: 01c8bc9742624e4265bbedcc6c3e9e909c83d08e290bfc3679eaa2c4e7004593
Instruction Fuzzy Hash: 77F03030A01A09E2EF006BE1FD0A37F7A78BB8074AF950591D191E00D4EF749171D25A

Uniqueness

Uniqueness Score: -1.00%

Function 00423413 Relevance: 6.4, APIs: 4, Instructions: 439COMMON

Download Yara Rule

APIs

Part of subcall function 00416A07: __EH_prolog3.LIBCMT ref: 00416A0E
Part of subcall function 00416A07: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416A41
Part of subcall function 00416A07: ~_Task_impl.LIBCPMT ref: 00416A57

Part of subcall function 00416CA1: ~_Task_impl.LIBCPMT ref: 00416CBA

~_Task_impl.LIBCPMT ref: 00423591

Part of subcall function 0042081A: __EH_prolog3.LIBCMT ref: 00420821
Part of subcall function 0042081A: ~_Task_impl.LIBCPMT ref: 0042083B

~_Task_impl.LIBCPMT ref: 0042392F

Part of subcall function 0042CAD6: __EH_prolog3.LIBCMT ref: 0042CADD

~_Task_impl.LIBCPMT ref: 00423998
~_Task_impl.LIBCPMT ref: 00423A22

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: Task_impl$H_prolog3$ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 2757123028-0
Opcode ID: 347e91457edb1d98d709e29b60b2b13c36e1b470990e1a9b9d49156d118002b4
Instruction ID: eb171a630df438c31a54dfca674e0afc03208e755016523bcd74ec3a0bb07778
Opcode Fuzzy Hash: 347e91457edb1d98d709e29b60b2b13c36e1b470990e1a9b9d49156d118002b4
Instruction Fuzzy Hash: 9102C0713083119FDB10DF15D881BEAB7F5AF89304F44086EF9889B252DB78EA45CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0042D1A5 Relevance: 6.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042D202

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0042D24D

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0042D27D

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

_memset.LIBCMT ref: 0042D2CA

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3$Task_impl$_memset
String ID:
API String ID: 1412648963-0
Opcode ID: 434e6597fa5204e0b70385b1273d44b6ff13530a9a69567a7400b31a4a463602
Instruction ID: 4e8f2658d289cd15973fe97a757588807b6e1a0e1833324c8caa39398db08741
Opcode Fuzzy Hash: 434e6597fa5204e0b70385b1273d44b6ff13530a9a69567a7400b31a4a463602
Instruction Fuzzy Hash: 04617E71104B059FD710EF66C881BABB7E9BF44308F40491EF5A693291DB78E949CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0042D660 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042D6B6

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0042D701

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0042D731

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

_memset.LIBCMT ref: 0042D77E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3$Task_impl$_memset
String ID:
API String ID: 1412648963-0
Opcode ID: ec2a1dd0f1128a860a66848109bea1e6b745af1d396443739ff2beb97782ece2
Instruction ID: a42144a2cd15f0d34e4a2f3c9d0ecd2d63c3274e7433e25c8d5c91002d51ea7b
Opcode Fuzzy Hash: ec2a1dd0f1128a860a66848109bea1e6b745af1d396443739ff2beb97782ece2
Instruction Fuzzy Hash: 5251A1711047019BD720EF26C881BABB7E9BF44318F40491EF5A693291DB78F949CB26

Uniqueness

Uniqueness Score: -1.00%

Function 0040C515 Relevance: 6.1, APIs: 4, Instructions: 147COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C51C

Part of subcall function 00416A64: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416AC4
Part of subcall function 00416A64: ~_Task_impl.LIBCPMT ref: 00416AE1

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0040C573

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

_memcpy_s.LIBCMT ref: 0040C641
~_Task_impl.LIBCPMT ref: 0040C6CC

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::$H_prolog3Task_impl$H_prolog3__memcpy_s
String ID:
API String ID: 2470942776-0
Opcode ID: eff0c919955eaa5fafd51dffa1b569ac8385b31748cd2154fd5801c508f07d01
Instruction ID: a0c16ac441c4c1ba74e774e1068f28e38114783427b07da58fef628b9fdbc33d
Opcode Fuzzy Hash: eff0c919955eaa5fafd51dffa1b569ac8385b31748cd2154fd5801c508f07d01
Instruction Fuzzy Hash: CD513F71901208EFCF12EF98C991BEDBBB5AF09304F54055AF901BB2A1C73A9D41DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042DDF8 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042DE4F

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0042DE7A

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0042DEAD

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

_memset.LIBCMT ref: 0042DEE7

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3$Task_impl$_memset
String ID:
API String ID: 1412648963-0
Opcode ID: f080c335822530d4f6bf3ee587310af39b35c4a696f1a429b4128999daaba94a
Instruction ID: fe9c80fb6022518badf757a1505c7fe0a1341e33b3352536d46a2951d5d510bc
Opcode Fuzzy Hash: f080c335822530d4f6bf3ee587310af39b35c4a696f1a429b4128999daaba94a
Instruction Fuzzy Hash: 59413F71504B449FC320DF26D885FDBB7E8FF48314F404A2EB1AA82591EB78A549CB16

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB05 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042DB5C

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0042DB87

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0042DBBA

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

_memset.LIBCMT ref: 0042DBD5

Part of subcall function 0041769A: __EH_prolog3.LIBCMT ref: 004176A1
Part of subcall function 0041769A: ~_Task_impl.LIBCPMT ref: 00417715
Part of subcall function 0041769A: ~_Task_impl.LIBCPMT ref: 0041772E

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$H_prolog3$BaseBase::~Concurrency::details::$Task_impl$_memset
String ID:
API String ID: 760866448-0
Opcode ID: 5a8012005e51d16ca309acf720660f10145b1a8cce68c463ce1721608d457ab8
Instruction ID: a146cb0471d9870b59ce287e6573bc2584331ef9736e8ce9ce73ad801e60ebed
Opcode Fuzzy Hash: 5a8012005e51d16ca309acf720660f10145b1a8cce68c463ce1721608d457ab8
Instruction Fuzzy Hash: 7B415371404B449FC350DF26C881F9BB7E8FF88314F404A2EF1AAC2591EB74A549CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00412E53 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00412E5A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000054,0040B007,?,?,?,?,0000FFFF,00000000,?,?), ref: 00412E90
_memset.LIBCMT ref: 00412EBA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,?,?), ref: 00412ED4

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog3__memset
String ID:
API String ID: 2885787191-0
Opcode ID: 38a92ef5ca66ef2072cf86a245b43029b36038a98e5eac0b35b80e5cb29a93d7
Instruction ID: 3863c83fe06225a5ae4148ddb5033e45959a7b30eb5cf4067f07400f02761122
Opcode Fuzzy Hash: 38a92ef5ca66ef2072cf86a245b43029b36038a98e5eac0b35b80e5cb29a93d7
Instruction Fuzzy Hash: 5F316D71900219EBDF14EFA9CD85D9EBBB8FF45314F10411AF414BB2A1D774A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420046 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00420050

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

~_Task_impl.LIBCPMT ref: 004201BB

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

Part of subcall function 00413579: __EH_prolog3.LIBCMT ref: 00413580

_wcsrchr.LIBCMT ref: 004200F8
~_Task_impl.LIBCPMT ref: 00420188

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$H_prolog3$BaseBase::~Concurrency::details::Task_impl$H_prolog3__wcsrchr
String ID:
API String ID: 1620322408-0
Opcode ID: b02d712a3b3850647fc3cb75c3c18bc5e33693b6778954b05c17ffb8c911a652
Instruction ID: 0e4d00dfc81e2d5a56882bd4262890027d82d1b365ea70eb22062f189641df61
Opcode Fuzzy Hash: b02d712a3b3850647fc3cb75c3c18bc5e33693b6778954b05c17ffb8c911a652
Instruction Fuzzy Hash: 22415071900228CBDB24EF65D985BDDB7B4AF04304F5444AEE849A7283DB786E89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042E0CB Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0042E121

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Part of subcall function 004174CF: __EH_prolog3.LIBCMT ref: 004174D6
Part of subcall function 004174CF: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00417522

~_Task_impl.LIBCPMT ref: 0042E14C

Part of subcall function 0041A53E: __EH_prolog3.LIBCMT ref: 0041A545
Part of subcall function 0041A53E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A564

Part of subcall function 0041A5BC: __EH_prolog3.LIBCMT ref: 0041A5C3
Part of subcall function 0041A5BC: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041A5F1

~_Task_impl.LIBCPMT ref: 0042E17C

Part of subcall function 0041AA9F: __EH_prolog3.LIBCMT ref: 0041AAA6
Part of subcall function 0041AA9F: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 0041AAC5

_memset.LIBCMT ref: 0042E1B4

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::H_prolog3$Task_impl$_memset
String ID:
API String ID: 1412648963-0
Opcode ID: 4273077c6009c0006c0eef0902f281482b018d229e40169b7648069e443d1861
Instruction ID: d163ef56d4875cd5245e04434ae19b865a1411fd67e8b0c7c2476eac826f71ba
Opcode Fuzzy Hash: 4273077c6009c0006c0eef0902f281482b018d229e40169b7648069e443d1861
Instruction Fuzzy Hash: 3131C9721047019BC310DF25C886FEBB7E8FF84328F004A2EF5A6921D1EB78A549CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0042EF1D Relevance: 6.1, APIs: 4, Instructions: 73filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,004189DE), ref: 0042EF5B
SetFileTime.KERNEL32(?,01000000,?,?,?,?,?,?,?,004189DE,?,?), ref: 0042EFC2
CloseHandle.KERNEL32(?,?,?,?,?,?,004189DE,?,?), ref: 0042EFCB
SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,004189DE,?,?), ref: 0042EFD7

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: File$AttributesCloseCreateHandleTime
String ID:
API String ID: 1550419386-0
Opcode ID: b790b8bafb1fb66787ca377f85770b015e8ef0bce398cfc088fb048ebc76be7f
Instruction ID: 73e65076f2c62163f4d40997ece2b127e1876d17bd723a2e176288497e8f3f9b
Opcode Fuzzy Hash: b790b8bafb1fb66787ca377f85770b015e8ef0bce398cfc088fb048ebc76be7f
Instruction Fuzzy Hash: 25218E36A00224FBCF10DFA6DD809AEFBB5FF08700F554456F915A7261C334AA01DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406BF9 Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EE), ref: 00406C34
DestroyCursor.USER32(?), ref: 00406C5F
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00406C75
EndDialog.USER32(?,00000000), ref: 00406C9C

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CursorDestroyDialogItemMessageSend
String ID:
API String ID: 3563011593-0
Opcode ID: 27536f49ddd20f3162466020e6142a748eed79968cedf931ff367879e25cebf3
Instruction ID: 5d3838eb0507e8e9d3164063cd292666b4a99632ae5be181a3c13b31fe4b5700
Opcode Fuzzy Hash: 27536f49ddd20f3162466020e6142a748eed79968cedf931ff367879e25cebf3
Instruction Fuzzy Hash: DA1100715083029FD710DF24D8085AB7EE8EB48750F01093AF886E2291C775D9548BAA

Uniqueness

Uniqueness Score: -1.00%

Function 00420903 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0042090A

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

~_Task_impl.LIBCPMT ref: 0042095F

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

~_Task_impl.LIBCPMT ref: 0042099A
~_Task_impl.LIBCPMT ref: 004209A6

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$H_prolog3$BaseBase::~Concurrency::details::Task_impl
String ID:
API String ID: 2784628925-0
Opcode ID: 4688d8976d0199470a2c22c3aea01d257cc4f1acdd1df93fbb1ad33c3b7d6526
Instruction ID: c3f4f06405c183e8c27bd4e5bcf57809b16d994df9e88f987db75c0ae41620ab
Opcode Fuzzy Hash: 4688d8976d0199470a2c22c3aea01d257cc4f1acdd1df93fbb1ad33c3b7d6526
Instruction Fuzzy Hash: 86118EB2A002298ADF10E7F1D942ADDB7F86F08318F54015BE411B3293DB7CDA859B69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F97C Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041F983

Part of subcall function 00416941: __EH_prolog3.LIBCMT ref: 00416948
Part of subcall function 00416941: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416994

~_Task_impl.LIBCPMT ref: 0041F9A2

Part of subcall function 00416F12: __EH_prolog3.LIBCMT ref: 00416F19
Part of subcall function 00416F12: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F38

Part of subcall function 00416F48: __EH_prolog3.LIBCMT ref: 00416F4F
Part of subcall function 00416F48: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 00416F7D

~_Task_impl.LIBCPMT ref: 0041F9DB

Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175E0
Part of subcall function 00417569: ~_Task_impl.LIBCPMT ref: 004175FC

Part of subcall function 00417618: __EH_prolog3.LIBCMT ref: 0041761F
Part of subcall function 00417618: ~_Task_impl.LIBCPMT ref: 00417667
Part of subcall function 00417618: ~_Task_impl.LIBCPMT ref: 00417680

~_Task_impl.LIBCPMT ref: 0041FA03

Part of subcall function 0041749E: __EH_prolog3.LIBCMT ref: 004174A5
Part of subcall function 0041749E: Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCMT ref: 004174C4

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ContextExternal$Task_impl$H_prolog3$BaseBase::~Concurrency::details::
String ID:
API String ID: 1430828601-0
Opcode ID: e7d970a8a11411c6f75e2e8b6c24b35890bb732824f4e27c69ba6e00aa44f227
Instruction ID: 44e1f0b927bd7b2ed043e242114dbff5f7653ab3c8518303acf1562966ee053b
Opcode Fuzzy Hash: e7d970a8a11411c6f75e2e8b6c24b35890bb732824f4e27c69ba6e00aa44f227
Instruction Fuzzy Hash: C9114C72D102199BCF05EBE5C9429EEBAB5BF48318F15011FF501B2142DB7C4A86DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044E46B Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0044E491

Part of subcall function 0044E2B6: __fltout2.LIBCMT ref: 0044E2E2

__cftog_l.LIBCMT ref: 0044E4B7
__cftoe_l.LIBCMT ref: 0044E4E9

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 61eb281aa5bafdc78bc62c604ad03b1a9d2af5580579acb69e26090bfddcdc64
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 20114E3240014EBBDF125E86CC05CEE3F66BB58354B598516FE1859531D33ACAB1AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0043F019 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0043F025

Part of subcall function 00442FE9: __getptd_noexit.LIBCMT ref: 00442FEC
Part of subcall function 00442FE9: __amsg_exit.LIBCMT ref: 00442FF9

__getptd.LIBCMT ref: 0043F03C
__amsg_exit.LIBCMT ref: 0043F04A
__lock.LIBCMT ref: 0043F05A

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: b1e0c0a5448efabfee26ab4210d0a83be094dc2be716cf0cf69538b834d69297
Instruction ID: 0bf5fddf3d16609b7de356d7c8dcce46c38ec617913d4588fd3e3759b8cc80ba
Opcode Fuzzy Hash: b1e0c0a5448efabfee26ab4210d0a83be094dc2be716cf0cf69538b834d69297
Instruction Fuzzy Hash: B1F09631D00704DAE724BB6E8402B4D33B0AB04715F51516FF445672D2CBBCA909DE5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040274D Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0046D37C), ref: 00402754
ResetEvent.KERNEL32(?,00406579), ref: 0040276A
SetEvent.KERNEL32(?,00406579), ref: 00402772
RtlLeaveCriticalSection.NTDLL(0046D37C), ref: 00402779

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: e4502d0c1e152c0b3c27294801e285d9a5189cc38259356d85abcddf4bf7b6e2
Instruction ID: 90a81c630b5993b01a57911b88393e436c102d869a29737ede06170e9b4f18d3
Opcode Fuzzy Hash: e4502d0c1e152c0b3c27294801e285d9a5189cc38259356d85abcddf4bf7b6e2
Instruction Fuzzy Hash: A5D09E35E01B10DB82012B65FD1C83E7B74BB89F233044036F905522E6D77884829BEF

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3AD Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

%dd, xrefs: 0041C5A2

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3
String ID: %dd
API String ID: 431132790-2324256507
Opcode ID: adc50be12d1e0659531fa70ad0377a2fe02ae832fdc62dcf9b1123fb7942022f
Instruction ID: edbc95063cb021f958530c54f012c0488dae2d00e476d249a18a9024959327ad
Opcode Fuzzy Hash: adc50be12d1e0659531fa70ad0377a2fe02ae832fdc62dcf9b1123fb7942022f
Instruction Fuzzy Hash: F1B1D6715083419FD710DF25CC85BDB77E4EF84304F00492EF899AB291D778AA49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041439B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004143A2

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 004143DD

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

invalid map/set<T> iterator, xrefs: 004143B0

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1412866469-152884079
Opcode ID: 214a1360eddc4774590fc6b75ba5467869ee86e2c87a56b4d94164092fecbfaf
Instruction ID: 16de6d5d629a44f6fbca0d7ce61b069652a3f9bde28aa7acaf850db990017336
Opcode Fuzzy Hash: 214a1360eddc4774590fc6b75ba5467869ee86e2c87a56b4d94164092fecbfaf
Instruction Fuzzy Hash: FFA15270604281DFDB25DF18C094B95BBA2AF95308F28809ED5894F353D7BAECC6CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00420C21 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00420C28

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 00420C63

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

invalid map/set<T> iterator, xrefs: 00420C36

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1412866469-152884079
Opcode ID: cb780e3be1d7be823bbbf1e97537612ff57dea44c5e85d2240daeca51fd3b885
Instruction ID: 3a6f6e1a03239d223cc07eb7ec3fea3e38dd0092dbddc62d643263e70a71959f
Opcode Fuzzy Hash: cb780e3be1d7be823bbbf1e97537612ff57dea44c5e85d2240daeca51fd3b885
Instruction Fuzzy Hash: 4BA1B1706052909FDB25CF24D184B65BFE1AF15308F99848ED5894F393D3BAEC86CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00424191 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00424198

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 004241D3

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

invalid map/set<T> iterator, xrefs: 004241A6

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1412866469-152884079
Opcode ID: 42bf58be54c9fc93da7b6695bd18622cc62b0bb11f2f874cab27a9c32e0929e3
Instruction ID: 379843a0f5437a073df0b8eb69b895f7c5728a9a23eb36e04a4533f08b177c9f
Opcode Fuzzy Hash: 42bf58be54c9fc93da7b6695bd18622cc62b0bb11f2f874cab27a9c32e0929e3
Instruction Fuzzy Hash: 81A15C70604290DFDB15CF54E184B667FA1AF95308F6880CEE4854F352C7B9E986CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0040D968 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040D96F

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 0040D9AA

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

invalid map/set<T> iterator, xrefs: 0040D97D

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: invalid map/set<T> iterator
API String ID: 1412866469-152884079
Opcode ID: a134fa279731a07bba47809a80be17e54c93768cb7984c1d3060e38066cbe671
Instruction ID: e9fb153646d4762d7cf73799b29417873e21ef137326348b1c72c23985268895
Opcode Fuzzy Hash: a134fa279731a07bba47809a80be17e54c93768cb7984c1d3060e38066cbe671
Instruction Fuzzy Hash: 41A19F70A083809FDB15CF64C040B55BBA1BF15318F2885AED4955F393C3B9ED8ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041C109 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041C113

Strings

%s%d%s, xrefs: 0041C26A
%s%s%s, xrefs: 0041C358

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3_
String ID: %s%d%s$%s%s%s
API String ID: 2427045233-97145105
Opcode ID: dbda8c242151a0df21242d553e366543a58a81e17dab7c54e489c98345878b95
Instruction ID: 8a9e883ce63fa29b2cfbfdc24499e9f073fb1c5884e4e25b93c55b4d0fce00d4
Opcode Fuzzy Hash: dbda8c242151a0df21242d553e366543a58a81e17dab7c54e489c98345878b95
Instruction Fuzzy Hash: 89711771840218DADF10DB94CD85BDDB775BF01318F1481EAE508BB291DB786E89CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00423F90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00423F97

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 00423FD2

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

map/set<T> too long, xrefs: 00423FA5

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: map/set<T> too long
API String ID: 1412866469-1285458680
Opcode ID: 6a8fbc9ecea2529da978ed008fcd6a038cea14e749bc11c7aecb5f4abab9a594
Instruction ID: f41dcfb23a4905105fc1bcf4e592f8bac34df4de5b6a2ab7774db59615d49e1b
Opcode Fuzzy Hash: 6a8fbc9ecea2529da978ed008fcd6a038cea14e749bc11c7aecb5f4abab9a594
Instruction Fuzzy Hash: F45146306006509FC715DF15D184A66BBF0FF99308F95808EE5058B792C77AFC85CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0041CFC0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041CFC7

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 0041D004

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

map/set<T> too long, xrefs: 0041CFD7

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: map/set<T> too long
API String ID: 1412866469-1285458680
Opcode ID: 062fcfdadbe01c73dc747cc358ff25a76ec12af13d39133b13d35e70ea7a4608
Instruction ID: 23b61b0b5f182b0df7f42a9a9e94429a2d2252c9675ade3db4ef36030ba9e486
Opcode Fuzzy Hash: 062fcfdadbe01c73dc747cc358ff25a76ec12af13d39133b13d35e70ea7a4608
Instruction Fuzzy Hash: 274158B46006009FC321DF19C184A96BBF1BF5A308F25808AE4494B362DB7AFCC6CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040D5C5

Part of subcall function 004019AB: __EH_prolog3.LIBCMT ref: 004019B2

__CxxThrowException@8.LIBCMT ref: 0040D602

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

map/set<T> too long, xrefs: 0040D5D5

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$ExceptionException@8RaiseThrow
String ID: map/set<T> too long
API String ID: 1412866469-1285458680
Opcode ID: 464edc89ceb0ffeffbf29ced83f15c1e715f4b901d4848669bb529743c4c434d
Instruction ID: 0094c7c31f0751cbb5434dbe1ea07c1798ca11a8ecc98640f047b7b968928e3f
Opcode Fuzzy Hash: 464edc89ceb0ffeffbf29ced83f15c1e715f4b901d4848669bb529743c4c434d
Instruction Fuzzy Hash: 3C419D70A002408FC715DF59C084B59BBF1BF55304F1589AAE4195B3A2C7BAFD89CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004087B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004087BE
__localtime64_s.LIBCMT ref: 004087E4

Strings

%04d-%02d-%02d %s %02d:%02d:%02d, xrefs: 00408820

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3__localtime64_s
String ID: %04d-%02d-%02d %s %02d:%02d:%02d
API String ID: 3113134143-1150477626
Opcode ID: 3913c395875e1899ec829d0c1e3fce896a492bdad78b392709eaf548878e537e
Instruction ID: f249b1a570f42d39f6b46b8d72a234804d25a22ea53615f546526d0f23278411
Opcode Fuzzy Hash: 3913c395875e1899ec829d0c1e3fce896a492bdad78b392709eaf548878e537e
Instruction Fuzzy Hash: 5E018FB2900008AFEB01EB94D985BFEB7B9EF08304F50001BF411F7281DBB9AD408B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044A985 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00442649: __getptd.LIBCMT ref: 0044264F
Part of subcall function 00442649: __getptd.LIBCMT ref: 0044265F

__getptd.LIBCMT ref: 0044A994

Part of subcall function 00442FE9: __getptd_noexit.LIBCMT ref: 00442FEC
Part of subcall function 00442FE9: __amsg_exit.LIBCMT ref: 00442FF9

__getptd.LIBCMT ref: 0044A9A2

Strings

csm, xrefs: 0044A9B0

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: f7050e1094d989b87afb2f9e212be214adf7153d1d3e55897fc14462d0a26091
Instruction ID: 6b0435e546b89cbfa20674766c1ef675ca6ae67648e4dfcc16742ac24b5e2e7b
Opcode Fuzzy Hash: f7050e1094d989b87afb2f9e212be214adf7153d1d3e55897fc14462d0a26091
Instruction Fuzzy Hash: 7C017875840201CAEF349F66D440AAEB3B4BF14312F95892FF04656A51CB7889E0DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E09A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041E0A1

Strings

%A, xrefs: 0041E0B4
~A, xrefs: 0041E0AE

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3
String ID: %A$~A
API String ID: 431132790-2827363916
Opcode ID: 30bb60def41bcf94dcb17b850634c21843be50c53bf145715324b0fdcf41de75
Instruction ID: 888ba7b1cb7feebe1e2c7f41cec86b384d09dea8d71917b1456e6523c4981875
Opcode Fuzzy Hash: 30bb60def41bcf94dcb17b850634c21843be50c53bf145715324b0fdcf41de75
Instruction Fuzzy Hash: 91E04FB460021597DB04BFA7C54239CB2A17F90308F84451FB9125B752DFBC59C58B4D

Uniqueness

Uniqueness Score: -1.00%

Function 0041E039 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0041E040

Part of subcall function 0041B1EF: __EH_prolog3.LIBCMT ref: 0041B1F6

Strings

%A, xrefs: 0041E05F
~A, xrefs: 0041E069

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3
String ID: %A$~A
API String ID: 431132790-2827363916
Opcode ID: f5ed4c646193485d1dd2008d993af9d4c6a1ce1e7687ff9c9f3a8e5f5f60ebbf
Instruction ID: 10a58805637716ac61d804a260a7508249e6e2175bc9b845257ea1c02becb991
Opcode Fuzzy Hash: f5ed4c646193485d1dd2008d993af9d4c6a1ce1e7687ff9c9f3a8e5f5f60ebbf
Instruction Fuzzy Hash: E8E026306002048BE301FF5AC90178D73A8AF10308F84805FFC808B312EBBD9A84876E

Uniqueness

Uniqueness Score: -1.00%

Function 00427C60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00427C67
~_Task_impl.LIBCPMT ref: 00427C84

Part of subcall function 0042E2C7: __EH_prolog3.LIBCMT ref: 0042E2CE

Strings

D|B, xrefs: 00427C71

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: H_prolog3$Task_impl
String ID: D|B
API String ID: 2843614703-2475354696
Opcode ID: fe7e188ea20f57aa2c6aafbce954ac993b7a621d97178a2e5972d442c36ed211
Instruction ID: f57faa44e8ec9089065f47dc187146ca79ba285728b7f695b537b288c20ddf65
Opcode Fuzzy Hash: fe7e188ea20f57aa2c6aafbce954ac993b7a621d97178a2e5972d442c36ed211
Instruction Fuzzy Hash: 1DE04F70600765CADB14FBA6D1453DCB6A0AF04318F91464EF0A6172D2DFBC1A04DA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0043DE2B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043DE32
__CxxThrowException@8.LIBCMT ref: 0043DE5D

Part of subcall function 004422C9: RaiseException.KERNEL32(?,?,0043E2DB,?,?,?,?,?,0043E2DB,?,00464E88,0046C764,?,00401891,004012E3), ref: 0044230B

Strings

invalid string position, xrefs: 0043DE37

Memory Dump Source

Source File: 00000000.00000002.1196845795.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1196825254.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.000000000047C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1196845795.0000000000486000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1197126488.0000000000495000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_S34C65xU.jbxd

Similarity

API ID: ExceptionException@8H_prolog3RaiseThrow
String ID: invalid string position
API String ID: 1961742612-1799206989
Opcode ID: 561bb807eb2e6e16e906c1e3865466abc582dbc4d6a012a35fba0ef5bd63708c
Instruction ID: 05e7ea5aeabadc39b0013a968410e8434d3c405e35a505f529f85587c4203e22
Opcode Fuzzy Hash: 561bb807eb2e6e16e906c1e3865466abc582dbc4d6a012a35fba0ef5bd63708c
Instruction Fuzzy Hash: 9FD0EC7294010896DF04E6D1C956BED733C6B14715F50046FB10076086DFF856088A6D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Samsung_Driver_Installer.exePID: 4560, Parent PID: 5760COMMON

Executed Functions

Function 00007FF9D1DB0979 Relevance: 2.0, Strings: 1, Instructions: 711COMMON

Download Yara Rule

Strings

h1v0, xrefs: 00007FF9D1DB0E02

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID: h1v0
API String ID: 0-2781045131
Opcode ID: f67309d156c21e98c94554fac1507cce1ddd40bad643cc23f7592c0935870fb3
Instruction ID: 62a39029ec8bb2c0961dfed288be80988afab180048cc1edf27c6e35c3462a76
Opcode Fuzzy Hash: f67309d156c21e98c94554fac1507cce1ddd40bad643cc23f7592c0935870fb3
Instruction Fuzzy Hash: EE52BD7061CB888FD7B6EB18C494BDAB7E5FF99300F544969E08DC7252DB70A981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB1519 Relevance: 1.6, Instructions: 1625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0fb696ba087784006dbce477a3e9d607b9ee917e5fb6883c1674acb1b2a325f
Instruction ID: 1e585d4a836386724897aa2f03f4c40f04e07afdacf56724702e49b415fbe49a
Opcode Fuzzy Hash: f0fb696ba087784006dbce477a3e9d607b9ee917e5fb6883c1674acb1b2a325f
Instruction Fuzzy Hash: 54E2AD71609A8D8FEFA5DF28C898BD93BE0FF19300F544166D84DCB252DB74AA84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB0416 Relevance: 4.2, Strings: 3, Instructions: 417COMMON

Download Yara Rule

Strings

h1v0, xrefs: 00007FF9D1DB072A
h1v0, xrefs: 00007FF9D1DB047A
/, xrefs: 00007FF9D1DB0969

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID: /$h1v0$h1v0
API String ID: 0-2911751399
Opcode ID: 7437e8998ffb8284476cd896d3aacb842c231f0940ded5c24992b5dc62e8596f
Instruction ID: 028c99644c58d91f3b7c9de3f28eb6a4eb24588e6ebf88cd2b348d5343c70e44
Opcode Fuzzy Hash: 7437e8998ffb8284476cd896d3aacb842c231f0940ded5c24992b5dc62e8596f
Instruction Fuzzy Hash: 7AF1FD3061DB888FE7A5EB1CC4D8F9AB7E0FF9A300F154569E08DC7252CA75A981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB1323 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

`Yv0, xrefs: 00007FF9D1DB13C3

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID: `Yv0
API String ID: 0-649319420
Opcode ID: 71935fc91c4e3b0070588d7d3d0c0b0ba89489cc8bb2ba14dfa8a55ec37d6048
Instruction ID: 5b4189a4afcae683c9cf78ecb6a2f9e6122a7053733ef743d1f0885e511f32dd
Opcode Fuzzy Hash: 71935fc91c4e3b0070588d7d3d0c0b0ba89489cc8bb2ba14dfa8a55ec37d6048
Instruction Fuzzy Hash: AE2177A140D7C55FE782DB2894587597FF0EF56340F5805EBE0C9CB2A3D668A9888712

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB4B49 Relevance: .4, Instructions: 423COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88201f0986da24207378a7c9f4ff021fcdcc0638370abf5b4f095d8b0dbc82f0
Instruction ID: 29326f3f7a55b679160658841bff5d81b3078d1d408a955c9896a4d7f74d1c1d
Opcode Fuzzy Hash: 88201f0986da24207378a7c9f4ff021fcdcc0638370abf5b4f095d8b0dbc82f0
Instruction Fuzzy Hash: DBD1A122A1C9474FFB55EB2894597BC77D1EF59300F6401BAE08EC7293DFA8A8858385

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBEC6C Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff89199819540c9300501253bfe58c38aee7b162d6b53945a4d715a2a13886ac
Instruction ID: 6c84a52cdbdc20f50060dcc8c1d48bc89daca25c34f4d9ae153d0173b6008fe4
Opcode Fuzzy Hash: ff89199819540c9300501253bfe58c38aee7b162d6b53945a4d715a2a13886ac
Instruction Fuzzy Hash: EBA18431A18A4A4FEB54EF1C98457E977E1FF59300F10457AE48EC7282DF78A9898782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DC176D Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9597172ec980eae02c1645709d20094a7bdb4873d438da6103d50d8c5a8217
Instruction ID: d55e9628457c49fd0a85112073a927cd47069e2c9a1173a44ad60ba987a0aeac
Opcode Fuzzy Hash: 6f9597172ec980eae02c1645709d20094a7bdb4873d438da6103d50d8c5a8217
Instruction Fuzzy Hash: 0DA1B170A1CA8D4EE765EF2898467F977D1FF4A300F5441AAD48DCB293CF78A9468381

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBEB19 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 729d47727f2eb011589a671025fb29d1f83be646d64ef92a8a1188068cf10401
Instruction ID: e82a2716c84589d44270733254d72179c583460c18763f6634b112de122654fb
Opcode Fuzzy Hash: 729d47727f2eb011589a671025fb29d1f83be646d64ef92a8a1188068cf10401
Instruction Fuzzy Hash: 6991E47160C68D4FEB65DF288846BE97BE1FF4A300F14457EE48ECB182DB74A5498782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB4810 Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74b3153f8179675f9b02c5b0710180c9b4975881ef6d49eefedeef9f26611ae
Instruction ID: 664595b5e1b02014f29fd7c18e3ab827aebc2485c52a684057ead3e4c84e5359
Opcode Fuzzy Hash: b74b3153f8179675f9b02c5b0710180c9b4975881ef6d49eefedeef9f26611ae
Instruction Fuzzy Hash: 8CB13C71908A8D9FEB91DF28C844BD93FE0FF1A344F5540A6E88DCB292DB74A984C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBC23E Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44857be78ff9199d3be78542acd04fd6e6adcda98c02fac995ad1fdefc77bdc2
Instruction ID: ab5b6e0b92735ae074a5a662c710e52b0f39f5b4235850be1c1d3d5a345e236a
Opcode Fuzzy Hash: 44857be78ff9199d3be78542acd04fd6e6adcda98c02fac995ad1fdefc77bdc2
Instruction Fuzzy Hash: 48A16E70918A8D8FEBA5EF28C849BE93BE0FF49305F40416AE84DC7152DF79A885C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBF509 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cce73f3180155b482bd9e8d5cb791e93f28e30941aa42bdb9fc62db3623c8f
Instruction ID: 504553e0f2bf5133f8f9c73e86e2f99e3a42ab43cfeae4214ca78c8f79915e47
Opcode Fuzzy Hash: 33cce73f3180155b482bd9e8d5cb791e93f28e30941aa42bdb9fc62db3623c8f
Instruction Fuzzy Hash: 1D71F952B0CA8A0FF785EB2C585A7797BD1EF9A250F1440BBD48EC72D3DD686C868341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB5589 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fedea7791c8d4bb7d73c7746af2716c6a90a36b930be3978a6f15093dd0dd4a1
Instruction ID: 6c57fc030d21b772944c014d0d5c388f0bc14ca6141c366c7ec012558d61391f
Opcode Fuzzy Hash: fedea7791c8d4bb7d73c7746af2716c6a90a36b930be3978a6f15093dd0dd4a1
Instruction Fuzzy Hash: A291A462A1C5864FF745DB288859BA87BE1FF55300F6441BAD08ECB293DBA8BCC5C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBD349 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f7e8ee7428cb68960863db53b17d1b1234af562ac2b3f9b46a7fa04058d9c0b
Instruction ID: 014074234544259b6311cfd0ed5185e3ca867d2713223bcf564c1efe9fb60175
Opcode Fuzzy Hash: 3f7e8ee7428cb68960863db53b17d1b1234af562ac2b3f9b46a7fa04058d9c0b
Instruction Fuzzy Hash: AD915C7051898D9FEB95EF28C888BE93BE0FF59355F50416AF84EC7192DB74A8848740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB33F1 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7522444826b223cab81dfe5053ae671eb4f530914c9e8e353e00288809ecefe
Instruction ID: 39ea120524ed4838d00d4c3203820eefbfb6c6a50042ecc70e4725bbc020b45c
Opcode Fuzzy Hash: c7522444826b223cab81dfe5053ae671eb4f530914c9e8e353e00288809ecefe
Instruction Fuzzy Hash: 2751FD22A0C64A5FEB55EF2894557B93BE1FF4A311F5400BBE48ECB283CE69F8458741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB9239 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38abf7808e6891ef93f942de849985658e9032b8c763a92575beaf988d26c060
Instruction ID: c18b4be3344b5b23cdde8b568e0c31033514b405916dc57b4760c6d126155339
Opcode Fuzzy Hash: 38abf7808e6891ef93f942de849985658e9032b8c763a92575beaf988d26c060
Instruction Fuzzy Hash: C351A171508B8C8FEBA5DF18C889BE93BE0FB09310F50416AE48DCB252DF74A549C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBFFC0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d189f1eeb04c2cd2b91fc834850b0260e1eac213c16afbed85978022ac0812
Instruction ID: 8daa43fb86968de2eec9cc8985ca7a1c542d4ed393c48edc3640f9f24a2d8f14
Opcode Fuzzy Hash: 15d189f1eeb04c2cd2b91fc834850b0260e1eac213c16afbed85978022ac0812
Instruction Fuzzy Hash: 09411D2270CA4A0FE785E76C489D77837D2EF9D210F5944B6D44DCB193CE689C898340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DC150D Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254f4fe8e418f0364cc9054692bdb1f1e3bf37255e72fdc863720b4b57488001
Instruction ID: 87dee251d51ebcae53eb98fd83716fc0fcd12da62ce890f00011970499ef67ce
Opcode Fuzzy Hash: 254f4fe8e418f0364cc9054692bdb1f1e3bf37255e72fdc863720b4b57488001
Instruction Fuzzy Hash: 5651B371618A4D8FEBB4DF18DC4A7E937E1FB59300F54406AD84DC7282DE74A9898781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB3E5D Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e61ec006c794a5146205d19414da6ceb2f366276f22edb70530f3481092f73
Instruction ID: 900f4d4613b573fbd29b2616cb88b14929bb1f24e3abd5e5d294e8fa53c8a3da
Opcode Fuzzy Hash: 75e61ec006c794a5146205d19414da6ceb2f366276f22edb70530f3481092f73
Instruction Fuzzy Hash: EA41EB22A0DB865FE741DB5844497697BE0FF4D204F5401BAD5CECB283DE68EC888341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB545E Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a97ed58c98bc089332f18eadf7c5d28b2ff04c6b3d145aea494134a267bdf68
Instruction ID: cf227432489ae99e89c074a2f03b37b3f893f3002a626c9a09e24179a43501e9
Opcode Fuzzy Hash: 3a97ed58c98bc089332f18eadf7c5d28b2ff04c6b3d145aea494134a267bdf68
Instruction Fuzzy Hash: AC411722A0D78B0FF796D76855963657BE1EF56211F2440FAD08ECE183DE9DA8898340

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB6B31 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0704d12df6cb022c5156bde5adf15268d93c03ca05cf5c2b561a0e63998976d3
Instruction ID: 207e1744f50b46a8b6bc3143b5d3983725a7f1026c82b6ce27d479c1a9751ec1
Opcode Fuzzy Hash: 0704d12df6cb022c5156bde5adf15268d93c03ca05cf5c2b561a0e63998976d3
Instruction Fuzzy Hash: A3418512F0DACA0FF786EB3408696796EF1AF5A21075944FBD48ECB193DD5CAC898311

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB3955 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9678ac8dc1b6b9c179ed1ad89fbecd8c3d23530be2d3f9caf334a8d6aae0f10f
Instruction ID: 83371d8916f8265f8af6a5fdd3b765a360929b30921845632a4b71470a76d143
Opcode Fuzzy Hash: 9678ac8dc1b6b9c179ed1ad89fbecd8c3d23530be2d3f9caf334a8d6aae0f10f
Instruction Fuzzy Hash: 6441853190C6869FEB45EF2484987697BA0EF16300F2540FAD44ECF193CF74A9899701

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB5DF0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e74bbb8ec168031c75f35e34b070479cccc916e4c61cdb67860eeec72213cb
Instruction ID: c4b92c2a09ddf4e5db5cdf17caffe66a1e81fb13daaba063d633e8f668d82999
Opcode Fuzzy Hash: 47e74bbb8ec168031c75f35e34b070479cccc916e4c61cdb67860eeec72213cb
Instruction Fuzzy Hash: FC318312F1994B0FF792A728185937C66D2AF96210F6844BBD44EC7297DE9CACC98341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBD949 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57dc0b10859b277aff4d795e967511900125149bd2b7cd4265567466b46b4899
Instruction ID: f3c962b7f91902281426dc42b451447a7be1133889b498e8b8cf621499497070
Opcode Fuzzy Hash: 57dc0b10859b277aff4d795e967511900125149bd2b7cd4265567466b46b4899
Instruction Fuzzy Hash: 4541F76250DBCA4FE742DB2888557A97FB0EF5B314F1801EAE48DCB1D3DB286889C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB855D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a10f8de96cd7d4656b993cb05655586ba239e7d937650fcac9b7f2b87009e9
Instruction ID: 3e5e6390ecda1fb3b084d7ac395c57b8e9976941b4d1370460c4d810cd717b76
Opcode Fuzzy Hash: 96a10f8de96cd7d4656b993cb05655586ba239e7d937650fcac9b7f2b87009e9
Instruction Fuzzy Hash: 4431727160868D4FEBA5DF28D849BEC7BE0FB45301F6441AAD48DCE182DB78A589C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB3E80 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e289357f6251b7fb729b3f87363bef570f3a9d6b58b1b8f7d233ba895f3d4451
Instruction ID: 9faf3339be18c97516b33005f0925e4e05d72b28a4fd47cc7e2327859dab10b7
Opcode Fuzzy Hash: e289357f6251b7fb729b3f87363bef570f3a9d6b58b1b8f7d233ba895f3d4451
Instruction Fuzzy Hash: C231D822A1CB4B5BF750DA58554936976E0FB8C308F14017FE5CEC7282DBB8E9888241

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB4069 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36f1c97d22762c412565e182a36ba0cb4f99550d145b4872a48c04661ce469a
Instruction ID: 6ad23fc5cbca0d7dcb22dff4844a47df9718a9f823b7bea74be850bed0133651
Opcode Fuzzy Hash: e36f1c97d22762c412565e182a36ba0cb4f99550d145b4872a48c04661ce469a
Instruction Fuzzy Hash: 8121463161CB891FE764CB5CD886BBA7BE0FB99311F04047FE08DC7282DB6899848742

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBECAC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62143b2292758bc3f102f78009bde8cde206fa8311537c95d6d93d94db820b36
Instruction ID: a6e1e78deb9aece948a7e5a861b181010084a6828448243bc9134c5518e2ffe5
Opcode Fuzzy Hash: 62143b2292758bc3f102f78009bde8cde206fa8311537c95d6d93d94db820b36
Instruction Fuzzy Hash: B2218322B58A0B0FF758AA6C54457BD72D1EB58351F20053EE48FC7283DE99F8C54245

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB3A38 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f6ccf45e8958e3e5694f67385f4a35f2797571d782997576ce9720b9a26ebc7
Instruction ID: 86c70613e0a8abb6412cb43c41bbd761fbaf25278bb1612d9913c8c817a90896
Opcode Fuzzy Hash: 2f6ccf45e8958e3e5694f67385f4a35f2797571d782997576ce9720b9a26ebc7
Instruction Fuzzy Hash: 9E219531E086469FE745EF28C498B697BA1EF5A300B2444FAD44ECF192CF79E885D700

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBF26D Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f85d89f8a698bd2a91cb0a1c0b2310cc7b7149c243728441270cf98b93451b8
Instruction ID: 7bbaa9be4098e0c34df797f9708c4216ad51e447216c2d4eb5c9b2532d397f4d
Opcode Fuzzy Hash: 0f85d89f8a698bd2a91cb0a1c0b2310cc7b7149c243728441270cf98b93451b8
Instruction Fuzzy Hash: 70115A52E0E7C50FE747973849A53156FB2AF97240B5A40E7C188CF1D3D9689C49C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB81DA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ec155c8d25ccc582c2b410daa825f780f0df4162339e349b17fa5eaf1760c9
Instruction ID: 541cde2cb6faeaeb0e1bdeac2c388c2992a0d638b1844c49b0163b56a106ec3e
Opcode Fuzzy Hash: 76ec155c8d25ccc582c2b410daa825f780f0df4162339e349b17fa5eaf1760c9
Instruction Fuzzy Hash: D301F902F0D98B0FF386BB34182933D99E1AF86240B6944F6D48ECB193DE1CAC858300

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB815A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41e05bbb83a52c94d6dec9620abbf6ee305edbe98f02c4d948ac7b5d8752e1f
Instruction ID: 4c2035a99c8f0606b4d16962b8aa7e08313ca50299f98fdc68896c7a4d7ee254
Opcode Fuzzy Hash: f41e05bbb83a52c94d6dec9620abbf6ee305edbe98f02c4d948ac7b5d8752e1f
Instruction Fuzzy Hash: FE01B952F0E99B4FF742B734092933E59E1AF96240B6944F6D48ECB197DD6CAC858310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB6C5A Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1223fea559c6739189930a591883526027c62a5775c2d0c825241c2ff87ea7d3
Instruction ID: 951bc866812b4475002f0bf7dfbae46b7495cf645bb8134c7c2e2dde9718fd38
Opcode Fuzzy Hash: 1223fea559c6739189930a591883526027c62a5775c2d0c825241c2ff87ea7d3
Instruction Fuzzy Hash: CD018412F1D99A4FF782A734182937D6AE2AF46240B9944F6D48ECB197DD6CA8858310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB82DA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6519ad51ef6729046de5870b0813b22253637b1799371b69cb3bb0240550e41
Instruction ID: 02a4786c58a3c391cd878a4f6c8f59fa6fbe41716481debece767f766478fdff
Opcode Fuzzy Hash: a6519ad51ef6729046de5870b0813b22253637b1799371b69cb3bb0240550e41
Instruction Fuzzy Hash: DE017E12F1D9970FF746F734142A37D99E19F56240B6944F6D48ECB2A3DD5C6C858310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB76DA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e8d8baac1023a2bd943c6c1cd496a3cf8e6a92eb3c9cefcc59a79d2989f5d6
Instruction ID: e09990c2366325266bed48a06ed7c32dbfacc1ec1750d4ae36cfb413bf48654f
Opcode Fuzzy Hash: 57e8d8baac1023a2bd943c6c1cd496a3cf8e6a92eb3c9cefcc59a79d2989f5d6
Instruction Fuzzy Hash: A3019612F0D99A0FF792A734041937E9AE1AF56240B5944F6D48ECB1D3DD5CA8858310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB017D Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3618c5e6c6d22e52fab81a6686b51c2aed9d6d37b17a105f61333def1d491f
Instruction ID: 3dd8c363cfcb66d3778b8ab944692e15ad3ffb3d16e2f2777cff2a2e745a9f51
Opcode Fuzzy Hash: 3e3618c5e6c6d22e52fab81a6686b51c2aed9d6d37b17a105f61333def1d491f
Instruction Fuzzy Hash: 81014913D5DAC71FF34ADB24AD527687B70FF82240F94557AE089CB1C3D98C68858302

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB3BA4 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0bab5f1199c4b00939f619324e8ae78ee712ca845b89a1b0441681de2d942ad
Instruction ID: e7bf01995108947f940bd59aec9efa1aaccc65f2ec382b44a78561fb79b31a6e
Opcode Fuzzy Hash: f0bab5f1199c4b00939f619324e8ae78ee712ca845b89a1b0441681de2d942ad
Instruction Fuzzy Hash: E2F04613B18E4B1BEB400ABC68A83F4B7C1EB9D222FA404BBC146CB395D98C68C58344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB84F3 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4db8a1c4125001d562c082b03469aaebaaf3b718f8986b0b8482828d96dce920
Instruction ID: 623a6073c6f63443bf044ef2145b670ffe490473aaa5219b68a222463b4f2098
Opcode Fuzzy Hash: 4db8a1c4125001d562c082b03469aaebaaf3b718f8986b0b8482828d96dce920
Instruction Fuzzy Hash: BCF0C811F0CA5A0FE746AB385454379E6E1EF8B281B5540F2D44DCB297DE6DAC85C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DBF7C8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60853338ebf1113ca274200d4eb173e0e3e520898d830c1f7720ad3573d7fa29
Instruction ID: bf17c7a3e933b0ec1f8abb7c8ad71ac34cd77965f357f96c9412cb0e30fd56f9
Opcode Fuzzy Hash: 60853338ebf1113ca274200d4eb173e0e3e520898d830c1f7720ad3573d7fa29
Instruction Fuzzy Hash: 31F0A01278EE490BD71C956E3C9D27537D1C7E9222B1801BFE409C7297DC905C8D83D1

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB54F9 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c94fdcf09aa61ffe6dd2608258e52c57dee20b64de167efa8415b774d44d81
Instruction ID: eb24c8146379181b38d9f7bf218962cd36c7f79c8ef5118cadc9adc9e3ded719
Opcode Fuzzy Hash: 20c94fdcf09aa61ffe6dd2608258e52c57dee20b64de167efa8415b774d44d81
Instruction Fuzzy Hash: C4F0C272808A4D8FEB50DF04D4453A83FA0FF64301F6141DAE44ECF151D378E9898741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DC0B71 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52126746ac202366dae0d369b834b2f655b2381deb68e26daa596b1de19faa96
Instruction ID: bcdc9a4e5fc4da5bf9b06bd7ad72266a555d47f6a7780a263b319324e3265506
Opcode Fuzzy Hash: 52126746ac202366dae0d369b834b2f655b2381deb68e26daa596b1de19faa96
Instruction Fuzzy Hash: 63F0E922A18A060FE749DA6C8C9A37437D2DB58211F1846B6D84AC62D3E999D8848380

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DC14A5 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4f5d14ce2f2255a9b4b280bc489d79da5f42dbdb1e83b6ae81843d0cd43c3
Instruction ID: 89111ddbbb41ad88db2a88e44c1b226061f8bf9ba0e909f37badcf02145eb285
Opcode Fuzzy Hash: 5aa4f5d14ce2f2255a9b4b280bc489d79da5f42dbdb1e83b6ae81843d0cd43c3
Instruction Fuzzy Hash: ADF0A4A160C7864EFB558F6984A57607FB1AF1A200F6900EAC84DCD1C7D6ACD848C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB0120 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684bac0eb82ad96c47f1546701255fd0955758fff67af5a0d37d8dc73c710c63
Instruction ID: af4b8ccc7f5b4dd153d81674249628b7cb25b10878f8695076e3e418a449d15a
Opcode Fuzzy Hash: 684bac0eb82ad96c47f1546701255fd0955758fff67af5a0d37d8dc73c710c63
Instruction Fuzzy Hash: 86F02763A6C84B47F744EB68598A27877B0FF46240F604939D08ED5193CDACB8C0C205

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB03AF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95767df3709d84318517eddd43d37463da5247a75921752e37ce77706b7514e0
Instruction ID: d6ec39bc046771bb810e2f6965744ce9bea18b764b159876a6a1295e50a1d76b
Opcode Fuzzy Hash: 95767df3709d84318517eddd43d37463da5247a75921752e37ce77706b7514e0
Instruction Fuzzy Hash: 8FF0627191DB854FE3A1DF54C496AEA77E0FF99710F40046DC089D7152DB786881CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB84DA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7213f6c729134d1ebd914ccbcd0c4c06a1fc287d580626701d80231b4916160
Instruction ID: 8cdd9786fd1a5ee206990ef57e5d89c44705fb4366792af161a10b811662ace2
Opcode Fuzzy Hash: b7213f6c729134d1ebd914ccbcd0c4c06a1fc287d580626701d80231b4916160
Instruction Fuzzy Hash: BFE02B53A0C65F0FF749DB2494A163837E0EF8629275400B7D48EDF183CA4D6C898360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9D1DB391B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1195469011.00007FF9D1DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9D1DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff9d1db0000_Samsung_Driver_Installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3f4e3c38065621fc65e9efac6eb0c008bc8d8796005a7108be6348470b77cff
Instruction ID: d9a476ccec74179c4d8a91d3ffdbcc2aeb10365a56284507e3c365d511136eed
Opcode Fuzzy Hash: d3f4e3c38065621fc65e9efac6eb0c008bc8d8796005a7108be6348470b77cff
Instruction Fuzzy Hash: FED01215B1480A0BE959B36C24913BD02C3DBC9226F955036E44DD23C6CD0E1C476381

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report S34C65xU.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Driver\Manual_S34C65xU\S34C65xU.cat

C:\Driver\Manual_S34C65xU\S34C65xU.icm

C:\Driver\Manual_S34C65xU\S34C65xU.inf

C:\Driver\S34C65xU.cat

C:\Driver\S34C65xU.icm

C:\Driver\S34C65xU.inf

C:\Driver\Samsung_Driver_Installer.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Samsung_Driver_I_8eed55e27c43b9c57636aa58c88d2e557d153d1_0cdd0738_c03bf17d-4e1a-409e-83ae-3bc1cc2052fe\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3508.tmp.mdmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER38E1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER394F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
S34C65xU.exe

Function 00405E69 Relevance: 54.7, APIs: 27, Strings: 4, Instructions: 495
windowtimeCOMMON

Function 00408E7F Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 75
synchronizationwindowCOMMON

Function 004055B5 Relevance: 61.7, APIs: 33, Strings: 2, Instructions: 405
windowCOMMON

Function 0040748D Relevance: 45.9, APIs: 25, Strings: 1, Instructions: 382
windowthreadCOMMON

Function 004094F1 Relevance: 36.9, APIs: 2, Strings: 19, Instructions: 186
COMMON

Function 00401F09 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 227
fileCOMMON

Function 004044FA Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 207
COMMON

Function 00403925 Relevance: 24.3, APIs: 16, Instructions: 281
windowsynchronizationCOMMON

Function 004052D6 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 172
windowCOMMON

Function 00402199 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 133
fileCOMMON

Function 0040A8FD Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 157
COMMON

Function 00403D69 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 298
windowCOMMON

Function 0043E806 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 42
threadCOMMON

Function 0043E7FA Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 37
threadCOMMON

Function 0042F824 Relevance: 12.1, APIs: 8, Instructions: 108
fileCOMMON