Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Kofc4rRZdp.exe

Overview

General Information

Sample name:Kofc4rRZdp.exe
renamed because original name is a hash value
Original sample name:243149fc79e420c9dfe7f0affa166238.exe
Analysis ID:1429029
MD5:243149fc79e420c9dfe7f0affa166238
SHA1:8289040f7e4043f6b6320684a63f2019714aaab6
SHA256:fee7bb0a897a66e0ff928aa8abc71ab11a59d960d88e10c1a05f60495c08522a
Tags:32exetrojan
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Machine Learning detection for dropped file
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Kofc4rRZdp.exe (PID: 2520 cmdline: "C:\Users\user\Desktop\Kofc4rRZdp.exe" MD5: 243149FC79E420C9DFE7F0AFFA166238)
    • regsvr32.exe (PID: 3220 cmdline: "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._ MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\42ZqUg._Avira: detection malicious, Label: HEUR/AGEN.1300756
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\42ZqUg._Virustotal: Detection: 25%Perma Link
Multi AV Scanner detection for submitted file
Source: Kofc4rRZdp.exeVirustotal: Detection: 38%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\42ZqUg._Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Kofc4rRZdp.exeJoe Sandbox ML: detected
Source: Kofc4rRZdp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Kofc4rRZdp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: Kofc4rRZdp.exe
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00714D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00714D8A
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00728590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00728590
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007386E8 FindFirstFileExA,0_2_007386E8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A769C0 NtCreateThreadEx,1_2_04A769C0
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0071720F0_2_0071720F
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0071E3FB0_2_0071E3FB
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0071FBD30_2_0071FBD3
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0071837D0_2_0071837D
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072E4300_2_0072E430
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007325780_2_00732578
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007126060_2_00712606
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007327A70_2_007327A7
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007208700_2_00720870
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007189340_2_00718934
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0073AA500_2_0073AA50
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00718D890_2_00718D89
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0073EE320_2_0073EE32
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0073AEFE0_2_0073AEFE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_049510001_2_04951000
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_049549D01_2_049549D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04952FB01_2_04952FB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_049551F01_2_049551F0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04952AC41_2_04952AC4
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04953B801_2_04953B80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A76CC01_2_04A76CC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A769C01_2_04A769C0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A789101_2_04A78910
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A761401_2_04A76140
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A790401_2_04A79040
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A78DB01_2_04A78DB0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A794901_2_04A79490
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A75AE01_2_04A75AE0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A766E01_2_04A766E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A78BC01_2_04A78BC0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 1_2_04A764301_2_04A76430
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: String function: 0072C468 appears 55 times
Source: Kofc4rRZdp.exe, 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamelgpllibs.dll8 vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000002.2077529522.0000000002D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000003.2076923027.0000000002D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000003.2076820826.0000000002D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exe, 00000000.00000003.2077046352.0000000002D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameREGSVR32.EXE.MUIj% vs Kofc4rRZdp.exe
Source: Kofc4rRZdp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal72.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00712E6F GetLastError,FormatMessageW,_wcslen,LocalFree,0_2_00712E6F
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00725C5C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00725C5C
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_3806687Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCommand line argument: ht0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCommand line argument: sfxname0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCommand line argument: sfxstime0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCommand line argument: STARTDLG0_2_0072B2FE
Source: Kofc4rRZdp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeFile read: C:\Windows\win.iniJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Kofc4rRZdp.exeVirustotal: Detection: 38%
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeFile read: C:\Users\user\Desktop\Kofc4rRZdp.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Kofc4rRZdp.exe "C:\Users\user\Desktop\Kofc4rRZdp.exe"
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: dxgidebug.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: Kofc4rRZdp.exeStatic file information: File size 3049000 > 1048576
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Kofc4rRZdp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Kofc4rRZdp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxzip32\Release\sfxzip.pdb source: Kofc4rRZdp.exe
Source: Kofc4rRZdp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Kofc4rRZdp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Kofc4rRZdp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Kofc4rRZdp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Kofc4rRZdp.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_3806687Jump to behavior
Source: Kofc4rRZdp.exeStatic PE information: section name: .didat
Source: 42ZqUg._.0.drStatic PE information: section name: .qdata
Source: 42ZqUg._.0.drStatic PE information: section name: 510OCR
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072C403 push ecx; ret 0_2_0072C416
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072D4B0 push ecx; ret 0_2_0072D4C3
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeFile created: C:\Users\user\AppData\Local\Temp\42ZqUg._Jump to dropped file
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeFile created: C:\Users\user\AppData\Local\Temp\42ZqUg._Jump to dropped file
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\42ZqUg._Jump to dropped file
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00714D8A __EH_prolog3_GS,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00714D8A
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00728590 __EH_prolog3_GS,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,0_2_00728590
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007386E8 FindFirstFileExA,0_2_007386E8
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072BC1D VirtualQuery,GetSystemInfo,0_2_0072BC1D
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeAPI call chain: ExitProcess graph end nodegraph_0-24427
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0072D242
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007353C2 mov eax, dword ptr fs:[00000030h]0_2_007353C2
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007393D0 GetProcessHeap,0_2_007393D0
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072D242 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0072D242
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_007312B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007312B4
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072D3E5 SetUnhandledExceptionFilter,0_2_0072D3E5
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072C69D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0072C69D
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._Jump to behavior
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072D05E cpuid 0_2_0072D05E
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00726CF5
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_0072B2FE GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_0072B2FE
Source: C:\Users\user\Desktop\Kofc4rRZdp.exeCode function: 0_2_00715032 GetVersionExW,0_2_00715032

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory12
Security Software Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Deobfuscate/Decode Files or Information		Security Account Manager2
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Kofc4rRZdp.exe39%VirustotalBrowse
Kofc4rRZdp.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\42ZqUg._100%AviraHEUR/AGEN.1300756
C:\Users\user\AppData\Local\Temp\42ZqUg._100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\42ZqUg._25%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1429029
Start date and time:2024-04-20 05:47:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 2m 26s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:Kofc4rRZdp.exe
renamed because original name is a hash value
Original Sample Name:243149fc79e420c9dfe7f0affa166238.exe
Detection:MAL
Classification:mal72.winEXE@3/1@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 98%
  • Number of executed functions: 106
  • Number of non-executed functions: 87
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\42ZqUg._

Download File
Process:C:\Users\user\Desktop\Kofc4rRZdp.exe
File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:dropped
Size (bytes):2899968
Entropy (8bit):7.9563253833154
Encrypted:false
SSDEEP:49152:PUlXiX5/dTY14YysazQG0gK5LHmjQeOXlVjZmk7PLOfy:qip/dTRYoMdgKcaVtmk7zOfy
MD5:035DC2E7367EEBA224351B508CE94506
SHA1:EA6E03D6FAF286CB3DC5ED4A9110305B2D974AF5
SHA-256:4AA2D8EFA84E67993A694C22763F750BE466D32F26498F0A3351316F2766BE8F
SHA-512:951CFA7CF1EE8AC85BFDE173DAB0A5BECE860D61F91F480D61A5640370FC7F86481652E733BE28F46DB1E4C064A62BF03B5AE21272494776EB6DBDE5BA6F35EA
Malicious:true
Antivirus:
  • Antivirus: Avira, Detection: 100%
  • Antivirus: Joe Sandbox ML, Detection: 100%
  • Antivirus: Virustotal, Detection: 25%, Browse
Reputation:low
Preview:MZ......................@...................................$...g.hV#g..#g..#g..L....g...<...g.. ...wf......ef..M:..wf..E....f..#g...f....|..f....z..f..#g..Pg..L...kg...>..jg...<...g..8...=f.......g..E...Mg....|..g..#g..6g...<...f..^....f..Rich#g..............................................PE..L....h#f...........!.....@...L...F..N........................................@,....._.,..............................X......LV..P.....+.......................+.D...@d...............................................P..X............................text....*.......0.................. ..`.idata.......@.......@.............. ..`.rdata.......P.......P.................@.data........`.......`..............@....qdata..gd&......p&.................@...510OCR..2.....).......).............@....CRT.........p+......p+.............@..@.rsrc.........+.......+..............?.@.reloc.......+.......+.............@..B....................................................................................................

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.9596931280584595
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:Kofc4rRZdp.exe
File size:3'049'000 bytes
MD5:243149fc79e420c9dfe7f0affa166238
SHA1:8289040f7e4043f6b6320684a63f2019714aaab6
SHA256:fee7bb0a897a66e0ff928aa8abc71ab11a59d960d88e10c1a05f60495c08522a
SHA512:1722b5e597d14c6720d6b22b0e802fbfa84cf933e1676ecbb1b9c7087eab8f5d9810c80a139a057473022bc655a5c70870d00913fc3ab1791d7db739fc0994db
SSDEEP:49152:XcL4/Td35hyvDldRgzCyymaTQ+EU6p/1mjAeOX5LL9ac1PvmaFq:XcL4tPyLldR1yOsnU6KaLhac1Hmag
TLSH:9BE5235133D4C5B0C2A315368565AB512A3CFC711F2A8AEF67F02D6DEB359C0EA31B92
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y...y...y....~..y....|.!y....}..y..+.r..y..+....y..+....y..+....y.......y.......y...y...x..%....y..%....y..%.p..y..%....y.

File Icon

Icon Hash:1515d4d4442f2d2d

Static PE Info

General

Entrypoint:0x41d000
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:0x65DC537F [Mon Feb 26 09:01:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:10b73c5f7fc148e21f974da703236659

Entrypoint Preview

Instruction
call 00007FED40D6F341h
jmp 00007FED40D6ECADh
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FED40D6E40Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FED40D6E3F9h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FED40D6DE31h
push 0043BF68h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FED40D6FB67h
int3
jmp 00007FED40D7546Ch
push ebp
mov ebp, esp
and dword ptr [0045B89Ch], 00000000h
sub esp, 24h
or dword ptr [0043E770h], 01h
push 0000000Ah
call dword ptr [0043218Ch]
test eax, eax
je 00007FED40D6EFE2h
and dword ptr [ebp-10h], 00000000h
xor eax, eax
push ebx
push esi
push edi
xor ecx, ecx
lea edi, dword ptr [ebp-24h]
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-24h]
mov edi, dword ptr [ebp-20h]
mov dword ptr [ebp-0Ch], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-18h]
xor eax, 49656E69h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr [ebp-1Ch]
xor eax, 6C65746Eh
mov dword ptr [ebp+00h], eax

Rich Headers

Programming Language:
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x3cef00x34.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0x3cf240x50.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x5d0000xe360.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x6c0000x2f38.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3a0200x54.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x3a0800x18.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x346f80x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x320000x24c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c4fc0x100.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x3023c0x30400eab8c49347b2363b3fdd36257b1df951False0.5767132852979274data6.682129404058095IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x320000xbc340xbe00e5f2fdc4aee2f1a0726781d86b4f8c02False0.4407483552631579data5.126576177856284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x3e0000x1df780x120094ebd057e10782ee3aa0d3ba58c1a1bfFalse0.3856336805555556DOS executable (block device driver w{\362ko\3050)3.9129841433728263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat0x5c0000x17c0x200f6f8a7d940bc508fbb3b807359e5a063False0.42578125data3.261134286324671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x5d0000xe3600xe4007a6b7bfd44ad2f52769a07648c6facb0False0.6301569353070176data6.5965558628721315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x6c0000x2f380x300083735fea8ebd9a3faee82aa0e6812001False0.7744140625data6.687384285279319IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x5d6800xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
PNG0x5e1c80x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
RT_ICON0x5f7780x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
RT_ICON0x5fce00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
RT_ICON0x605880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
RT_ICON0x614300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
RT_ICON0x618980x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
RT_ICON0x629400x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
RT_ICON0x64ee80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
RT_DIALOG0x695b80x286dataEnglishUnited States0.5092879256965944
RT_DIALOG0x693880x13adataEnglishUnited States0.60828025477707
RT_DIALOG0x694c80xecdataEnglishUnited States0.6991525423728814
RT_DIALOG0x692580x12edataEnglishUnited States0.5927152317880795
RT_DIALOG0x68f200x338dataEnglishUnited States0.45145631067961167
RT_DIALOG0x68cc80x252dataEnglishUnited States0.5757575757575758
RT_STRING0x69f980x1e2dataEnglishUnited States0.3900414937759336
RT_STRING0x6a1800x1ccdataEnglishUnited States0.4282608695652174
RT_STRING0x6a3500x1b8dataEnglishUnited States0.45681818181818185
RT_STRING0x6a5080x146dataEnglishUnited States0.5153374233128835
RT_STRING0x6a6500x46cdataEnglishUnited States0.3454063604240283
RT_STRING0x6aac00x166dataEnglishUnited States0.49162011173184356
RT_STRING0x6ac280x152dataEnglishUnited States0.5059171597633136
RT_STRING0x6ad800x10adataEnglishUnited States0.49624060150375937
RT_STRING0x6ae900xbcdataEnglishUnited States0.6329787234042553
RT_STRING0x6af500x1c0dataEnglishUnited States0.5178571428571429
RT_STRING0x6b1100x250dataEnglishUnited States0.44256756756756754
RT_GROUP_ICON0x68c600x68dataEnglishUnited States0.7019230769230769
RT_MANIFEST0x698400x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

Imports

DLLImport
KERNEL32.dllLocalFree, GetLastError, SetLastError, FormatMessageW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileTime, CloseHandle, CreateFileW, GetCurrentProcessId, CreateDirectoryW, RemoveDirectoryW, SetFileAttributesW, GetFileAttributesW, DeleteFileW, MoveFileW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetCurrentProcess, GetExitCodeProcess, WaitForSingleObject, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapReAlloc, HeapSize, SetStdHandle, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
OLEAUT32.dllVariantClear, SysFreeString, SysAllocString
gdiplus.dllGdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdiplusShutdown, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:05:47:54
Start date:20/04/2024
Path:C:\Users\user\Desktop\Kofc4rRZdp.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\Kofc4rRZdp.exe"
Imagebase:0x710000
File size:3'049'000 bytes
MD5 hash:243149FC79E420C9DFE7F0AFFA166238
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:true

General

Target ID:1
Start time:05:47:54
Start date:20/04/2024
Path:C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):true
Commandline:"C:\Windows\System32\regsvr32.exe" /u /s .\42ZQUg._
Imagebase:0xb50000
File size:20'992 bytes
MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:10.6%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:8.1%
    Total number of Nodes:1774
    Total number of Limit Nodes:23
    execution_graph 24083 72baf2 24086 72bdd7 24083->24086 24112 72bb35 24086->24112 24088 72bde7 24089 72be44 24088->24089 24090 72be68 24088->24090 24091 72bd75 DloadReleaseSectionWriteAccess 8 API calls 24089->24091 24093 72bee0 LoadLibraryExA 24090->24093 24095 72bf41 24090->24095 24098 72bf53 24090->24098 24101 72c00f 24090->24101 24092 72be4f RaiseException 24091->24092 24108 72baff 24092->24108 24094 72bef3 GetLastError 24093->24094 24093->24095 24096 72bf1c 24094->24096 24103 72bf06 24094->24103 24095->24098 24099 72bf4c FreeLibrary 24095->24099 24100 72bd75 DloadReleaseSectionWriteAccess 8 API calls 24096->24100 24097 72bfb1 GetProcAddress 24097->24101 24102 72bfc1 GetLastError 24097->24102 24098->24097 24098->24101 24099->24098 24104 72bf27 RaiseException 24100->24104 24123 72bd75 24101->24123 24105 72bfd4 24102->24105 24103->24095 24103->24096 24104->24108 24105->24101 24107 72bd75 DloadReleaseSectionWriteAccess 8 API calls 24105->24107 24109 72bff5 RaiseException 24107->24109 24110 72bb35 DloadAcquireSectionWriteAccess 8 API calls 24109->24110 24111 72c00c 24110->24111 24111->24101 24113 72bb41 24112->24113 24114 72bb67 24112->24114 24131 72bbde 24113->24131 24114->24088 24116 72bb46 24118 72bb62 24116->24118 24136 72bd07 24116->24136 24141 72bb68 GetModuleHandleW GetProcAddress GetProcAddress 24118->24141 24120 72bdb0 24121 72bdcc 24120->24121 24122 72bdc8 RtlReleaseSRWLockExclusive 24120->24122 24121->24088 24122->24088 24124 72bd87 24123->24124 24125 72bda9 24123->24125 24126 72bbde DloadAcquireSectionWriteAccess 4 API calls 24124->24126 24125->24108 24127 72bd8c 24126->24127 24128 72bda4 24127->24128 24129 72bd07 DloadProtectSection 3 API calls 24127->24129 24144 72bdab GetModuleHandleW GetProcAddress GetProcAddress RtlReleaseSRWLockExclusive DloadReleaseSectionWriteAccess 24128->24144 24129->24128 24142 72bb68 GetModuleHandleW GetProcAddress GetProcAddress 24131->24142 24133 72bbe3 24134 72bbfb RtlAcquireSRWLockExclusive 24133->24134 24135 72bbff 24133->24135 24134->24116 24135->24116 24138 72bd1c DloadProtectSection 24136->24138 24137 72bd22 24137->24118 24138->24137 24139 72bd57 VirtualProtect 24138->24139 24143 72bc1d VirtualQuery GetSystemInfo 24138->24143 24139->24137 24141->24120 24142->24133 24143->24139 24144->24125 24145 72ce82 24146 72ce8e __FrameHandler3::FrameUnwindToState 24145->24146 24177 72c910 24146->24177 24148 72ce95 24149 72cfe8 24148->24149 24152 72cebf 24148->24152 24274 72d242 4 API calls 2 library calls 24149->24274 24151 72cfef 24265 73552c 24151->24265 24161 72cefe ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24152->24161 24268 7360cd 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24152->24268 24157 72ced8 24159 72cede 24157->24159 24269 736071 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24157->24269 24168 72cf5f 24161->24168 24270 7354f4 38 API calls 3 library calls 24161->24270 24163 72cf65 24189 73601e 51 API calls 24163->24189 24165 72cf6d 24190 72b2fe 24165->24190 24188 72d35d GetStartupInfoW __cftof 24168->24188 24171 72cf81 24171->24151 24172 72cf85 24171->24172 24173 72cf8e 24172->24173 24272 7354cf 28 API calls _abort 24172->24272 24273 72ca81 12 API calls ___scrt_uninitialize_crt 24173->24273 24176 72cf96 24176->24159 24178 72c919 24177->24178 24276 72d05e IsProcessorFeaturePresent 24178->24276 24180 72c925 24277 72fcfe 10 API calls 2 library calls 24180->24277 24182 72c92a 24187 72c92e 24182->24187 24278 735f57 24182->24278 24185 72c945 24185->24148 24187->24148 24188->24163 24189->24165 24353 71a590 24190->24353 24194 72b326 24444 72655d 24194->24444 24196 72b32f __cftof 24448 726961 24196->24448 24200 72b3bc GetCommandLineW 24201 72b3cc 24200->24201 24202 72b4ad 24200->24202 24204 7114a3 28 API calls 24201->24204 24203 715eb3 29 API calls 24202->24203 24205 72b4b7 24203->24205 24206 72b3d6 24204->24206 24207 7157f6 26 API calls 24205->24207 24208 72894e 115 API calls 24206->24208 24209 72b4c4 24207->24209 24210 72b3e0 24208->24210 24211 711770 26 API calls 24209->24211 24212 711770 26 API calls 24210->24212 24214 72b4cd SetEnvironmentVariableW GetLocalTime 24211->24214 24213 72b3e9 24212->24213 24215 72b490 24213->24215 24216 72b3f6 OpenFileMappingW 24213->24216 24221 714c1e _swprintf 51 API calls 24214->24221 24218 7114a3 28 API calls 24215->24218 24219 72b486 CloseHandle 24216->24219 24220 72b40f MapViewOfFile 24216->24220 24223 72b49a 24218->24223 24219->24202 24220->24219 24224 72b41f UnmapViewOfFile MapViewOfFile 24220->24224 24222 72b532 SetEnvironmentVariableW GetModuleHandleW LoadIconW 24221->24222 24225 727745 33 API calls 24222->24225 24226 72ae2d 30 API calls 24223->24226 24224->24219 24227 72b43d 24224->24227 24228 72b570 24225->24228 24229 72b4a4 24226->24229 24230 726bf9 28 API calls 24227->24230 24231 7171ea 133 API calls 24228->24231 24232 711770 26 API calls 24229->24232 24233 72b44d 24230->24233 24234 72b580 24231->24234 24232->24202 24235 72ae2d 30 API calls 24233->24235 24236 724326 28 API calls 24234->24236 24237 72b456 24235->24237 24238 72b58c 24236->24238 24239 718c7e 114 API calls 24237->24239 24240 724326 28 API calls 24238->24240 24241 72b469 24239->24241 24242 72b595 DialogBoxParamW 24240->24242 24243 718d34 114 API calls 24241->24243 24244 724418 26 API calls 24242->24244 24245 72b474 24243->24245 24246 72b5d2 24244->24246 24248 72b47f UnmapViewOfFile 24245->24248 24247 724418 26 API calls 24246->24247 24249 72b5de 24247->24249 24248->24219 24250 72b5e7 Sleep 24249->24250 24251 72b5ee 24249->24251 24250->24251 24252 72b5fc 24251->24252 24253 726b0c 47 API calls 24251->24253 24254 72b606 DeleteObject 24252->24254 24253->24252 24255 72b61b DeleteObject 24254->24255 24258 72b622 24254->24258 24255->24258 24256 72b652 24259 72af00 6 API calls 24256->24259 24257 72b664 24260 7265c3 GdiplusShutdown OleUninitialize 24257->24260 24258->24256 24258->24257 24261 72b658 CloseHandle 24259->24261 24262 72b69e 24260->24262 24261->24257 24263 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24262->24263 24264 72b6b1 24263->24264 24271 72d3a3 GetModuleHandleW 24264->24271 24853 7352a9 24265->24853 24268->24157 24269->24161 24270->24168 24271->24171 24272->24173 24273->24176 24274->24151 24276->24180 24277->24182 24282 7393fa 24278->24282 24281 72fd1d 7 API calls 2 library calls 24281->24187 24283 739417 24282->24283 24286 739413 24282->24286 24283->24286 24288 737a80 24283->24288 24285 72c937 24285->24185 24285->24281 24300 72c3c4 24286->24300 24289 737a8c __FrameHandler3::FrameUnwindToState 24288->24289 24307 737fd1 EnterCriticalSection 24289->24307 24291 737a93 24308 7398c8 24291->24308 24293 737aa2 24298 737ab1 24293->24298 24321 737910 29 API calls 24293->24321 24296 737aac 24322 7379c6 GetStdHandle GetFileType 24296->24322 24323 737acd LeaveCriticalSection _abort 24298->24323 24299 737ac2 _abort 24299->24283 24301 72c3cc 24300->24301 24302 72c3cd IsProcessorFeaturePresent 24300->24302 24301->24285 24304 72c6da 24302->24304 24352 72c69d SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24304->24352 24306 72c7bd 24306->24285 24307->24291 24309 7398d4 __FrameHandler3::FrameUnwindToState 24308->24309 24310 7398e1 24309->24310 24311 7398f8 24309->24311 24332 736933 20 API calls __dosmaperr 24310->24332 24324 737fd1 EnterCriticalSection 24311->24324 24314 7398e6 24333 73147e 26 API calls ___std_exception_copy 24314->24333 24316 739930 24334 739957 LeaveCriticalSection _abort 24316->24334 24317 7398f0 _abort 24317->24293 24318 739904 24318->24316 24325 739819 24318->24325 24321->24296 24322->24298 24323->24299 24324->24318 24335 7384d6 24325->24335 24327 73982b 24331 739838 24327->24331 24342 7382aa 11 API calls 2 library calls 24327->24342 24330 73988a 24330->24318 24343 736b34 24331->24343 24332->24314 24333->24317 24334->24317 24340 7384e3 __dosmaperr 24335->24340 24336 738523 24350 736933 20 API calls __dosmaperr 24336->24350 24337 73850e RtlAllocateHeap 24338 738521 24337->24338 24337->24340 24338->24327 24340->24336 24340->24337 24349 73506e 7 API calls 2 library calls 24340->24349 24342->24327 24344 736b3f RtlFreeHeap 24343->24344 24345 736b68 __dosmaperr 24343->24345 24344->24345 24346 736b54 24344->24346 24345->24330 24351 736933 20 API calls __dosmaperr 24346->24351 24348 736b5a GetLastError 24348->24345 24349->24340 24350->24338 24351->24348 24352->24306 24464 72c600 24353->24464 24356 71a5e8 GetProcAddress 24359 71a612 GetProcAddress 24356->24359 24360 71a5fa 24356->24360 24357 71a63d 24358 71a9b0 24357->24358 24534 734bfd 42 API calls 2 library calls 24357->24534 24466 715eb3 24358->24466 24359->24357 24362 71a624 24359->24362 24360->24359 24362->24357 24364 71a8ad 24364->24358 24367 715eb3 29 API calls 24364->24367 24365 71a9bb 24477 71654f 24365->24477 24368 71a8c1 24367->24368 24369 71a8d2 CreateFileW 24368->24369 24370 71a8cf 24368->24370 24372 71a8f0 SetFilePointer 24369->24372 24373 71a99b CloseHandle 24369->24373 24370->24369 24372->24373 24374 71a902 ReadFile 24372->24374 24375 711770 26 API calls 24373->24375 24374->24373 24376 71a91e 24374->24376 24377 71a9ae 24375->24377 24380 71ac07 24376->24380 24381 71a92f 24376->24381 24377->24358 24544 72c7bf SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess IsProcessorFeaturePresent 24380->24544 24383 7114a3 28 API calls 24381->24383 24390 71a948 24383->24390 24384 71ac0c 24385 71a9f3 CompareStringW 24389 71a9cf 24385->24389 24389->24385 24404 71aa5d 24389->24404 24481 715032 24389->24481 24486 71a473 24389->24486 24510 7114a3 24389->24510 24514 7166d5 24389->24514 24518 711770 24389->24518 24522 714461 24389->24522 24392 71a98b 24390->24392 24396 71a473 30 API calls 24390->24396 24535 719b75 28 API calls 24390->24535 24395 711770 26 API calls 24392->24395 24393 71aab3 24536 7165bf 45 API calls 24393->24536 24394 71abd2 24398 711770 26 API calls 24394->24398 24399 71a993 24395->24399 24396->24390 24402 71abda 24398->24402 24403 711770 26 API calls 24399->24403 24400 7114a3 28 API calls 24400->24404 24401 71aabc 24405 715032 6 API calls 24401->24405 24406 711770 26 API calls 24402->24406 24403->24373 24404->24400 24407 7166d5 45 API calls 24404->24407 24413 711770 26 API calls 24404->24413 24417 714461 49 API calls 24404->24417 24423 71aaa7 24404->24423 24408 71aac1 24405->24408 24409 71abe2 24406->24409 24407->24404 24410 71ab47 24408->24410 24411 71aac8 24408->24411 24412 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24409->24412 24415 71a2ad 53 API calls 24410->24415 24414 71a473 30 API calls 24411->24414 24416 71abfd 24412->24416 24413->24404 24418 71aad2 24414->24418 24419 71ab70 AllocConsole 24415->24419 24435 715d94 24416->24435 24417->24404 24420 71a473 30 API calls 24418->24420 24421 71ab7d GetCurrentProcessId AttachConsole 24419->24421 24434 71ab25 24419->24434 24424 71aadc 24420->24424 24422 71ab98 24421->24422 24429 71aba1 GetStdHandle WriteConsoleW Sleep FreeConsole 24422->24429 24423->24393 24423->24394 24537 717fca 24424->24537 24427 71abca ExitProcess 24429->24434 24431 717fca 53 API calls 24432 71ab1c 24431->24432 24433 7114a3 28 API calls 24432->24433 24433->24434 24434->24427 24851 72c435 24435->24851 24437 715da0 GetCurrentDirectoryW 24438 715db2 24437->24438 24442 715dae 24437->24442 24852 7118cd 28 API calls 24438->24852 24440 715dc4 GetCurrentDirectoryW 24441 715de1 _wcslen 24440->24441 24441->24442 24443 7112a3 26 API calls 24441->24443 24442->24194 24443->24442 24445 71a473 30 API calls 24444->24445 24446 726571 OleInitialize 24445->24446 24447 726594 GdiplusStartup SHGetMalloc 24446->24447 24447->24196 24449 7157f6 26 API calls 24448->24449 24450 72696f 24449->24450 24451 7157f6 26 API calls 24450->24451 24452 72697b 24451->24452 24453 7157f6 26 API calls 24452->24453 24454 726987 24453->24454 24455 7157f6 26 API calls 24454->24455 24456 726993 24455->24456 24457 726913 24456->24457 24458 711770 26 API calls 24457->24458 24459 72691e 24458->24459 24460 711770 26 API calls 24459->24460 24461 726926 24460->24461 24462 711770 26 API calls 24461->24462 24463 72692e 24462->24463 24465 71a5a2 GetModuleHandleW 24464->24465 24465->24356 24465->24357 24467 715ebf __EH_prolog3 24466->24467 24545 72c386 24467->24545 24469 715eeb GetModuleFileNameW 24470 715ec9 24469->24470 24471 715f1d 24469->24471 24470->24469 24470->24471 24559 711917 24470->24559 24473 7114a3 28 API calls 24471->24473 24474 715f26 24473->24474 24475 715f39 24474->24475 24563 7112a3 24474->24563 24475->24365 24478 71655c 24477->24478 24582 711fd0 24478->24582 24482 715058 GetVersionExW 24481->24482 24483 715085 24481->24483 24482->24483 24484 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24483->24484 24485 7150ae 24484->24485 24485->24389 24487 71a47f __EH_prolog3_GS 24486->24487 24488 72c386 28 API calls 24487->24488 24489 71a48c 24488->24489 24490 71a4a2 GetSystemDirectoryW 24489->24490 24491 71a4c0 24490->24491 24508 71a4b9 24490->24508 24492 7114a3 28 API calls 24491->24492 24494 71a4e2 24492->24494 24493 71a586 24646 72c417 24493->24646 24497 7114a3 28 API calls 24494->24497 24495 7112a3 26 API calls 24495->24493 24499 71a4ef 24497->24499 24498 71a58d 24498->24389 24634 716449 24499->24634 24502 711770 26 API calls 24503 71a50c 24502->24503 24504 711770 26 API calls 24503->24504 24505 71a514 LoadLibraryW 24504->24505 24507 71a531 24505->24507 24505->24508 24507->24508 24649 7116b3 26 API calls 24507->24649 24508->24493 24508->24495 24511 7114b9 _wcslen 24510->24511 24512 71122c 28 API calls 24511->24512 24513 7114c6 24512->24513 24513->24389 24515 7166de 24514->24515 24670 71684f 24515->24670 24519 71177b 24518->24519 24520 71178a 24518->24520 24521 7112a3 26 API calls 24519->24521 24520->24389 24521->24520 24523 71446d __EH_prolog3_GS 24522->24523 24524 71447a GetFileAttributesW 24523->24524 24525 714488 24524->24525 24532 7144ef 24524->24532 24683 7160a8 24525->24683 24526 72c417 5 API calls 24528 714505 24526->24528 24528->24389 24530 7144c3 24530->24532 24744 7116b3 26 API calls 24530->24744 24531 7144ba GetFileAttributesW 24531->24530 24532->24526 24534->24364 24535->24390 24536->24401 24538 717fda 24537->24538 24759 717ffb 24538->24759 24541 71a2ad 24786 71a13a 24541->24786 24544->24384 24548 72c38b 24545->24548 24547 72c3a5 24547->24470 24548->24547 24550 72c3a7 24548->24550 24567 73369a 24548->24567 24577 73506e 7 API calls 2 library calls 24548->24577 24551 71172f Concurrency::cancel_current_task 24550->24551 24553 72c3b1 24550->24553 24574 72dd8a 24551->24574 24555 72dd8a std::_Xinvalid_argument RaiseException 24553->24555 24554 71174b 24557 711764 24554->24557 24558 7112a3 26 API calls 24554->24558 24556 72d058 24555->24556 24557->24470 24558->24557 24560 711937 24559->24560 24562 71192f 24559->24562 24560->24562 24580 711967 28 API calls 24560->24580 24562->24470 24564 7112bd 24563->24564 24565 7112b0 24563->24565 24564->24475 24581 7116b3 26 API calls 24565->24581 24572 736b6e __dosmaperr 24567->24572 24568 736bac 24579 736933 20 API calls __dosmaperr 24568->24579 24570 736b97 RtlAllocateHeap 24571 736baa 24570->24571 24570->24572 24571->24548 24572->24568 24572->24570 24578 73506e 7 API calls 2 library calls 24572->24578 24575 72ddd1 RaiseException 24574->24575 24576 72dda4 24574->24576 24575->24554 24576->24575 24577->24548 24578->24572 24579->24571 24580->24562 24581->24564 24583 712012 24582->24583 24584 711fec 24582->24584 24598 7129a7 45 API calls 24583->24598 24589 71122c 24584->24589 24588 71200c 24588->24389 24590 71129d 24589->24590 24593 71123d 24589->24593 24630 71179c 28 API calls std::_Xinvalid_argument 24590->24630 24597 711248 24593->24597 24599 7112cf 24593->24599 24595 711274 24624 7111d8 24595->24624 24597->24588 24600 7112da 24599->24600 24601 7112df 24599->24601 24600->24595 24631 71172f 27 API calls 2 library calls 24601->24631 24603 7112e4 24604 711357 24603->24604 24605 7112f7 24603->24605 24632 71179c 28 API calls std::_Xinvalid_argument 24604->24632 24608 7112cf 28 API calls 24605->24608 24611 711313 24608->24611 24613 7111d8 28 API calls 24611->24613 24619 711319 24613->24619 24618 71134b 24618->24595 24619->24618 24620 7112a3 26 API calls 24619->24620 24620->24618 24625 7111e3 24624->24625 24626 7111eb 24624->24626 24633 7111fd 28 API calls Concurrency::cancel_current_task 24625->24633 24628 72c386 28 API calls 24626->24628 24629 7111e9 24626->24629 24628->24629 24629->24597 24631->24603 24633->24629 24635 716455 __EH_prolog3_GS 24634->24635 24650 711fa4 24635->24650 24637 716467 24638 716484 24637->24638 24658 715866 28 API calls 24637->24658 24654 7117b3 24638->24654 24641 71649a 24642 711770 26 API calls 24641->24642 24643 7164ad 24642->24643 24644 72c417 5 API calls 24643->24644 24645 7164b2 24644->24645 24645->24502 24647 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24646->24647 24648 72c421 24647->24648 24648->24648 24649->24508 24651 711fbd 24650->24651 24659 711c91 24651->24659 24653 711fca 24653->24637 24655 7117f4 24654->24655 24656 7117c9 24654->24656 24669 71135d 28 API calls 24655->24669 24656->24641 24658->24638 24660 711cf4 24659->24660 24663 711ca2 24659->24663 24668 71179c 28 API calls std::_Xinvalid_argument 24660->24668 24664 7112cf 28 API calls 24663->24664 24667 711cad 24663->24667 24665 711cd2 24664->24665 24666 7111d8 28 API calls 24665->24666 24666->24667 24667->24653 24669->24656 24671 71685b 24670->24671 24674 716871 24671->24674 24673 7166ee 24673->24389 24675 7169c8 24674->24675 24678 716887 24674->24678 24682 7129a7 45 API calls 24675->24682 24680 71689f 24678->24680 24681 715674 28 API calls 24678->24681 24680->24673 24681->24680 24684 7160f5 24683->24684 24701 7160ee 24683->24701 24685 7114a3 28 API calls 24684->24685 24688 716102 24685->24688 24686 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24687 7144aa 24686->24687 24687->24530 24687->24531 24689 7161e9 24688->24689 24690 71611f 24688->24690 24691 715d94 30 API calls 24689->24691 24693 716129 24690->24693 24694 71614f 24690->24694 24692 716209 24691->24692 24696 7162fb 24692->24696 24703 716283 24692->24703 24704 71622d 24692->24704 24745 71554f 28 API calls 24693->24745 24707 711fd0 45 API calls 24694->24707 24708 716147 24694->24708 24696->24708 24758 7116b3 26 API calls 24696->24758 24697 716137 24746 7157f6 24697->24746 24698 711770 26 API calls 24698->24701 24701->24686 24702 71613f 24705 711770 26 API calls 24702->24705 24755 71554f 28 API calls 24703->24755 24752 7155ea 28 API calls 24704->24752 24705->24708 24711 716197 24707->24711 24708->24698 24709 716291 24712 7157f6 26 API calls 24709->24712 24750 71559c 28 API calls _wcslen 24711->24750 24716 71629a 24712->24716 24713 716246 24753 7111a8 28 API calls 24713->24753 24719 711770 26 API calls 24716->24719 24717 716256 24754 715521 28 API calls 24717->24754 24718 7161ac 24751 7140ca 28 API calls 24718->24751 24720 7162a2 24719->24720 24756 715866 28 API calls 24720->24756 24724 716265 24726 7157f6 26 API calls 24724->24726 24725 7161c0 24727 7157f6 26 API calls 24725->24727 24728 71626e 24726->24728 24729 7161cc 24727->24729 24730 711770 26 API calls 24728->24730 24731 711770 26 API calls 24729->24731 24733 716276 24730->24733 24735 7161d4 24731->24735 24732 7162aa 24734 711fd0 45 API calls 24732->24734 24736 711770 26 API calls 24733->24736 24737 7162e3 24734->24737 24738 711770 26 API calls 24735->24738 24740 71627e 24736->24740 24757 7167c2 28 API calls 24737->24757 24739 7161dc 24738->24739 24742 711770 26 API calls 24739->24742 24743 711770 26 API calls 24740->24743 24742->24708 24743->24696 24744->24532 24745->24697 24747 715804 24746->24747 24748 7157ff 24746->24748 24747->24702 24749 711770 26 API calls 24748->24749 24749->24747 24750->24718 24751->24725 24752->24713 24753->24717 24754->24724 24755->24709 24756->24732 24757->24740 24758->24708 24765 71712d 24759->24765 24762 717ff8 24762->24541 24763 71801e LoadStringW 24763->24762 24764 718035 LoadStringW 24763->24764 24764->24762 24772 717040 24765->24772 24768 71716e 24770 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24768->24770 24771 717183 24770->24771 24771->24762 24771->24763 24773 717074 24772->24773 24781 7170f7 _strncpy 24772->24781 24775 717094 24773->24775 24783 71bbc8 WideCharToMultiByte 24773->24783 24780 7170c5 24775->24780 24784 717f64 50 API calls __vsnprintf 24775->24784 24776 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24777 717126 24776->24777 24777->24768 24782 717187 26 API calls 24777->24782 24785 7336a5 26 API calls 3 library calls 24780->24785 24781->24776 24782->24768 24783->24775 24784->24780 24785->24781 24787 71a146 __EH_prolog3_GS 24786->24787 24801 719e7d 24787->24801 24792 71a18f 24798 71a1d4 24792->24798 24814 71a2c5 24792->24814 24817 712a0e 28 API calls 24792->24817 24794 71a1f4 24799 71a238 24794->24799 24819 7116b3 26 API calls 24794->24819 24795 72c417 5 API calls 24796 71a24e 24795->24796 24796->24431 24798->24794 24818 712a0e 28 API calls 24798->24818 24799->24795 24802 719f21 24801->24802 24804 719e93 24801->24804 24805 71988f 24802->24805 24803 711873 28 API calls 24803->24804 24804->24802 24804->24803 24806 719906 24805->24806 24809 7198a0 24805->24809 24820 71179c 28 API calls std::_Xinvalid_argument 24806->24820 24808 7198ab 24808->24792 24809->24808 24811 7112cf 28 API calls 24809->24811 24812 7198da 24811->24812 24813 7111d8 28 API calls 24812->24813 24813->24808 24821 714bf1 24814->24821 24817->24792 24818->24794 24819->24799 24822 714c08 __vsnwprintf_l 24821->24822 24825 7335b2 24822->24825 24828 731675 24825->24828 24829 7316b5 24828->24829 24830 73169d 24828->24830 24829->24830 24832 7316bd 24829->24832 24845 736933 20 API calls __dosmaperr 24830->24845 24847 731c14 38 API calls 2 library calls 24832->24847 24833 7316a2 24846 73147e 26 API calls ___std_exception_copy 24833->24846 24836 7316cd 24848 731bdf 20 API calls 2 library calls 24836->24848 24838 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24840 714c12 24838->24840 24839 731745 24849 731fc4 51 API calls 4 library calls 24839->24849 24840->24792 24843 731750 24850 731c97 20 API calls _free 24843->24850 24844 7316ad 24844->24838 24845->24833 24846->24844 24847->24836 24848->24839 24849->24843 24850->24844 24851->24437 24852->24440 24854 7352b5 _unexpected 24853->24854 24855 7352ce 24854->24855 24856 7352bc 24854->24856 24877 737fd1 EnterCriticalSection 24855->24877 24892 735403 GetModuleHandleW 24856->24892 24859 7352c1 24859->24855 24893 735447 GetModuleHandleExW 24859->24893 24860 735373 24881 7353b3 24860->24881 24863 7352d5 24863->24860 24865 73534a 24863->24865 24878 735dc0 24863->24878 24867 735362 24865->24867 24901 736071 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24865->24901 24902 736071 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24867->24902 24868 735390 24884 7353c2 24868->24884 24869 7353bc 24903 73f720 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 24869->24903 24877->24863 24904 735af9 24878->24904 24923 738021 LeaveCriticalSection 24881->24923 24883 73538c 24883->24868 24883->24869 24924 738416 24884->24924 24887 7353f0 24890 735447 _abort 8 API calls 24887->24890 24888 7353d0 GetPEB 24888->24887 24889 7353e0 GetCurrentProcess TerminateProcess 24888->24889 24889->24887 24891 7353f8 ExitProcess 24890->24891 24892->24859 24894 735471 GetProcAddress 24893->24894 24895 735494 24893->24895 24898 735486 24894->24898 24896 7354a3 24895->24896 24897 73549a FreeLibrary 24895->24897 24899 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24896->24899 24897->24896 24898->24895 24900 7352cd 24899->24900 24900->24855 24901->24867 24902->24860 24907 735aa8 24904->24907 24906 735b1d 24906->24865 24908 735ab4 __FrameHandler3::FrameUnwindToState 24907->24908 24915 737fd1 EnterCriticalSection 24908->24915 24910 735ac2 24916 735b49 24910->24916 24914 735ae0 _abort 24914->24906 24915->24910 24917 735b71 24916->24917 24918 735b69 24916->24918 24917->24918 24921 736b34 _free 20 API calls 24917->24921 24919 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24918->24919 24920 735acf 24919->24920 24922 735aed LeaveCriticalSection _abort 24920->24922 24921->24918 24922->24914 24923->24883 24925 738431 24924->24925 24926 73843b 24924->24926 24928 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 24925->24928 24931 738038 5 API calls __dosmaperr 24926->24931 24929 7353cc 24928->24929 24929->24887 24929->24888 24930 738452 24930->24925 24931->24930 24932 729773 24933 711fa4 28 API calls 24932->24933 24938 729792 _wcslen 24933->24938 24934 711fa4 28 API calls 24935 729a4c 24934->24935 24981 72a800 24935->24981 24940 71122c 28 API calls 24938->24940 24943 728d1c 24938->24943 24948 7299fa 24938->24948 24941 72985e 24940->24941 25021 719c69 28 API calls 24941->25021 24947 72a3fa 24943->24947 24954 72a439 __EH_prolog3_GS 24943->24954 24961 711fd0 45 API calls 24943->24961 24964 7157f6 26 API calls 24943->24964 24966 7114a3 28 API calls 24943->24966 24969 711770 26 API calls 24943->24969 24973 719c69 28 API calls 24943->24973 25018 719adc 30 API calls 2 library calls 24943->25018 25019 726674 28 API calls 24943->25019 25020 71a251 CompareStringW 24943->25020 25025 72b29a 26 API calls 24943->25025 25026 72726a 28 API calls 24943->25026 25027 7129a7 45 API calls 24943->25027 24944 729961 24949 729999 24944->24949 25023 7116b3 26 API calls 24944->25023 24950 711770 26 API calls 24947->24950 24948->24934 24948->24943 24949->24948 25024 7116b3 26 API calls 24949->25024 24952 72a405 24950->24952 24955 72c417 5 API calls 24952->24955 24953 711770 26 API calls 24956 72988f 24953->24956 24957 72a4ca 24954->24957 25028 715628 28 API calls _wcslen 24954->25028 24958 72a40a 24955->24958 24956->24944 24956->24953 24959 7114a3 28 API calls 24956->24959 24963 71a251 CompareStringW 24956->24963 25022 719c69 28 API calls 24956->25022 24960 72c417 5 API calls 24957->24960 24959->24956 24962 72a4cf 24960->24962 24961->24943 24963->24956 24964->24943 24966->24943 24967 72a4a3 25029 711170 28 API calls _wcslen 24967->25029 24969->24943 24972 72a4b2 24975 7157f6 26 API calls 24972->24975 24973->24943 24976 72a4ba 24975->24976 24977 711770 26 API calls 24976->24977 24978 72a4c2 24977->24978 24979 711770 26 API calls 24978->24979 24979->24957 24986 72a80c __cftof __EH_prolog3_GS 24981->24986 24982 711770 26 API calls 24983 72ab2f 24982->24983 24984 72c417 5 API calls 24983->24984 24985 72ab34 24984->24985 24985->24943 24987 72a97e 24986->24987 25001 72ab08 24986->25001 25039 71bf3c CompareStringW 24986->25039 24989 7114a3 28 API calls 24987->24989 24990 72a994 24989->24990 25030 71444f 24990->25030 24993 711770 26 API calls 24994 72a9ab 24993->24994 24995 72a9fd ShellExecuteExW 24994->24995 24996 7114a3 28 API calls 24994->24996 24997 72aa12 24995->24997 24998 72aadc 24995->24998 24999 72a9d1 24996->24999 25002 72aa45 WaitForInputIdle 24997->25002 25003 72aa2e IsWindowVisible 24997->25003 25007 72aa90 FindCloseChangeNotification 24997->25007 24998->25001 25042 7116b3 26 API calls 24998->25042 25040 7158d4 51 API calls 2 library calls 24999->25040 25001->24982 25033 72af00 WaitForSingleObject 25002->25033 25003->25002 25008 72aa39 ShowWindow 25003->25008 25005 72a9e2 25010 711770 26 API calls 25005->25010 25011 72aaa8 25007->25011 25012 72aa9d 25007->25012 25008->25002 25013 72a9ee 25010->25013 25011->24998 25016 72aad3 ShowWindow 25011->25016 25041 71bf3c CompareStringW 25012->25041 25013->24995 25015 72aa68 GetExitCodeProcess 25015->25007 25017 72aa79 25015->25017 25016->24998 25017->25007 25018->24943 25019->24943 25020->24943 25021->24956 25022->24956 25023->24949 25024->24948 25025->24943 25026->24943 25028->24967 25029->24972 25031 714461 49 API calls 25030->25031 25032 714458 25031->25032 25032->24993 25034 72aa5b 25033->25034 25035 72af1b 25033->25035 25034->25007 25034->25015 25036 72af1e PeekMessageW 25035->25036 25037 72af30 GetMessageW TranslateMessage DispatchMessageW 25036->25037 25038 72af51 WaitForSingleObject 25036->25038 25037->25038 25038->25034 25038->25036 25039->24987 25040->25005 25041->25011 25042->25001 25043 7293f3 25044 7293fd 25043->25044 25049 728d1c 25043->25049 25045 711fa4 28 API calls 25044->25045 25044->25049 25047 729416 25045->25047 25048 729496 25047->25048 25050 711fd0 45 API calls 25047->25050 25051 7294ce 25048->25051 25063 7294f3 25048->25063 25057 72a3fa 25049->25057 25074 711fd0 45 API calls 25049->25074 25078 7157f6 26 API calls 25049->25078 25081 7114a3 28 API calls 25049->25081 25083 711770 26 API calls 25049->25083 25089 719c69 28 API calls 25049->25089 25107 72a439 __EH_prolog3_GS 25049->25107 25144 719adc 30 API calls 2 library calls 25049->25144 25145 726674 28 API calls 25049->25145 25146 71a251 CompareStringW 25049->25146 25150 72b29a 26 API calls 25049->25150 25151 72726a 28 API calls 25049->25151 25152 7129a7 45 API calls 25049->25152 25052 72946a 25050->25052 25054 7294e6 25051->25054 25055 7293cb 25051->25055 25056 7157f6 26 API calls 25052->25056 25119 726e9b 25054->25119 25058 711770 26 API calls 25055->25058 25059 72948e 25056->25059 25060 711770 26 API calls 25057->25060 25058->25049 25061 711770 26 API calls 25059->25061 25064 72a405 25060->25064 25061->25048 25063->25054 25066 7114a3 28 API calls 25063->25066 25067 72c417 5 API calls 25064->25067 25069 729540 25066->25069 25070 72a40a 25067->25070 25072 7114a3 28 API calls 25069->25072 25071 72961b SendMessageW 25077 72964a 25071->25077 25075 729554 25072->25075 25074->25049 25076 7114a3 28 API calls 25075->25076 25079 729565 25076->25079 25077->25049 25085 729656 25077->25085 25086 729659 SendMessageW 25077->25086 25078->25049 25147 72713d 28 API calls 2 library calls 25079->25147 25081->25049 25083->25049 25084 72958b 25087 711770 26 API calls 25084->25087 25085->25086 25086->25049 25091 729593 25087->25091 25089->25049 25092 711770 26 API calls 25091->25092 25093 72959e 25092->25093 25094 711770 26 API calls 25093->25094 25096 7295ad 25094->25096 25148 715866 28 API calls 25096->25148 25098 7295b6 25149 71554f 28 API calls 25098->25149 25100 7295ca 25101 7157f6 26 API calls 25100->25101 25102 7295d3 25101->25102 25103 711770 26 API calls 25102->25103 25104 7295de 25103->25104 25105 711770 26 API calls 25104->25105 25105->25054 25106 72a4ca 25108 72c417 5 API calls 25106->25108 25107->25106 25153 715628 28 API calls _wcslen 25107->25153 25109 72a4cf 25108->25109 25111 72a4a3 25154 711170 28 API calls _wcslen 25111->25154 25113 72a4b2 25114 7157f6 26 API calls 25113->25114 25115 72a4ba 25114->25115 25116 711770 26 API calls 25115->25116 25117 72a4c2 25116->25117 25118 711770 26 API calls 25117->25118 25118->25106 25121 726eaa __EH_prolog3_GS 25119->25121 25120 72c417 5 API calls 25122 727068 GetDlgItem 25120->25122 25123 7114a3 28 API calls 25121->25123 25138 72704e 25121->25138 25141 711b39 25122->25141 25124 726f03 25123->25124 25125 7114a3 28 API calls 25124->25125 25126 726f28 25125->25126 25127 7114a3 28 API calls 25126->25127 25128 726f41 25127->25128 25155 72713d 28 API calls 2 library calls 25128->25155 25130 726f6f 25131 711770 26 API calls 25130->25131 25132 726f83 25131->25132 25133 711770 26 API calls 25132->25133 25134 726f8b 25133->25134 25135 711770 26 API calls 25134->25135 25136 726f9d 25135->25136 25139 726ff4 25136->25139 25156 7116b3 26 API calls 25136->25156 25138->25120 25139->25138 25157 7116b3 26 API calls 25139->25157 25142 711b43 25141->25142 25143 711b45 SetWindowTextW 25141->25143 25142->25143 25143->25071 25144->25049 25145->25049 25146->25049 25147->25084 25148->25098 25149->25100 25150->25049 25151->25049 25153->25111 25154->25113 25155->25130 25156->25139 25157->25138 25158 7135a0 25159 7135b9 25158->25159 25164 713cf0 25159->25164 25161 7135eb 25163 713cf0 111 API calls 25163->25161 25165 713d02 25164->25165 25169 713d15 25164->25169 25167 7135bd 25165->25167 25173 712fc0 109 API calls 25165->25173 25167->25163 25168 713d28 SetFilePointer 25168->25167 25170 713d44 GetLastError 25168->25170 25169->25167 25169->25168 25170->25167 25171 713d4e 25170->25171 25171->25167 25174 712fc0 109 API calls 25171->25174 25173->25169 25174->25167 25175 727860 25176 72786f __EH_prolog3_catch_GS 25175->25176 25431 711b78 25176->25431 25179 7278a0 25184 727980 25179->25184 25185 7278b1 25179->25185 25225 7278bf 25179->25225 25180 7281bb 25542 72a6f6 25180->25542 25191 727a10 25184->25191 25196 727996 25184->25196 25189 7278ba 25185->25189 25190 72795c 25185->25190 25187 7281ea 25192 728203 GetDlgItem SendMessageW 25187->25192 25193 7281f3 SendDlgItemMessageW 25187->25193 25188 7281db SendMessageW 25188->25187 25199 717fca 53 API calls 25189->25199 25189->25225 25195 727975 EndDialog 25190->25195 25190->25225 25441 711a16 25191->25441 25198 715d94 30 API calls 25192->25198 25193->25192 25195->25225 25197 717fca 53 API calls 25196->25197 25201 7279b3 SetDlgItemTextW 25197->25201 25202 728243 GetDlgItem 25198->25202 25203 7278ed 25199->25203 25206 7279bf 25201->25206 25207 728262 25202->25207 25573 71160a 29 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25203->25573 25204 727a2b EndDialog 25360 727a44 25204->25360 25205 727a61 GetDlgItem 25209 727a75 SendMessageW SendMessageW 25205->25209 25210 727a98 SetFocus 25205->25210 25214 7279c8 GetMessageW 25206->25214 25206->25225 25211 711b39 SetWindowTextW 25207->25211 25209->25210 25215 727aa8 25210->25215 25216 727acf 25210->25216 25217 72826c 25211->25217 25212 7278f4 25218 727904 25212->25218 25574 711b1b 25212->25574 25219 7279df IsDialogMessageW 25214->25219 25214->25225 25221 717fca 53 API calls 25215->25221 25223 711fa4 28 API calls 25216->25223 25561 726357 GetClassNameW 25217->25561 25218->25225 25577 7116b3 26 API calls 25218->25577 25219->25206 25226 7279ee TranslateMessage DispatchMessageW 25219->25226 25220 72809a 25227 717fca 53 API calls 25220->25227 25228 727ab2 25221->25228 25231 727adb 25223->25231 25578 72c426 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25225->25578 25226->25206 25233 7280ab SetDlgItemTextW 25227->25233 25234 7114a3 28 API calls 25228->25234 25229 711770 26 API calls 25229->25225 25593 72a44b 28 API calls __EH_prolog3_GS 25231->25593 25238 7280c0 25233->25238 25239 727abb 25234->25239 25237 727ae8 25243 717fca 53 API calls 25237->25243 25244 717fca 53 API calls 25238->25244 25579 72a4d2 25239->25579 25240 72828a 25242 7282a6 25240->25242 25245 728caf 48 API calls 25240->25245 25247 7282d7 25242->25247 25250 717fca 53 API calls 25242->25250 25246 727aff 25243->25246 25248 7280de 25244->25248 25245->25242 25249 71a2ad 53 API calls 25246->25249 25256 728caf 48 API calls 25247->25256 25357 7283f0 25247->25357 25252 7114a3 28 API calls 25248->25252 25254 727b09 25249->25254 25255 7282b9 SetDlgItemTextW 25250->25255 25251 711770 26 API calls 25257 727b2e 25251->25257 25261 7280e7 25252->25261 25253 7284f5 25264 728500 EnableWindow 25253->25264 25265 72850d 25253->25265 25258 72a4d2 21 API calls 25254->25258 25259 717fca 53 API calls 25255->25259 25268 7282ed 25256->25268 25263 727b40 25257->25263 25594 72ac95 26 API calls __EH_prolog3_GS 25257->25594 25266 727b1b 25258->25266 25267 7282cd SetDlgItemTextW 25259->25267 25260 728155 25270 717fca 53 API calls 25260->25270 25261->25260 25272 7114a3 28 API calls 25261->25272 25262 727b67 25455 714235 25262->25455 25263->25262 25280 71444f 49 API calls 25263->25280 25264->25265 25275 728528 25265->25275 25612 7119f8 GetDlgItem EnableWindow 25265->25612 25276 711770 26 API calls 25266->25276 25267->25247 25277 72830d 25268->25277 25308 72832e 25268->25308 25271 72815f 25270->25271 25278 7114a3 28 API calls 25271->25278 25279 728106 25272->25279 25273 7283dc 25281 728caf 48 API calls 25273->25281 25286 728550 25275->25286 25297 728548 SendMessageW 25275->25297 25285 727aca 25276->25285 25608 725335 34 API calls __EH_prolog3_GS 25277->25608 25287 72816b 25278->25287 25290 717fca 53 API calls 25279->25290 25291 727b5d 25280->25291 25281->25357 25284 7284c0 25611 725335 34 API calls __EH_prolog3_GS 25284->25611 25285->25251 25299 717fca 53 API calls 25286->25299 25286->25360 25303 7114a3 28 API calls 25287->25303 25288 72851f 25613 7119f8 GetDlgItem EnableWindow 25288->25613 25298 728116 25290->25298 25291->25262 25300 727b61 25291->25300 25292 727b80 GetLastError 25293 727b8b 25292->25293 25465 71665e 25293->25465 25297->25286 25607 711170 28 API calls _wcslen 25298->25607 25306 728569 SetDlgItemTextW 25299->25306 25595 726a3a 25 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25300->25595 25302 7284e7 25312 711770 26 API calls 25302->25312 25313 728184 25303->25313 25304 7114a3 28 API calls 25304->25357 25306->25360 25308->25273 25315 728caf 48 API calls 25308->25315 25309 727ba0 25310 727bbd 25309->25310 25311 727bac GetLastError 25309->25311 25316 727c5d 25310->25316 25320 727c6f 25310->25320 25321 727bd9 GetTickCount 25310->25321 25311->25310 25317 7284f3 25312->25317 25326 711770 26 API calls 25313->25326 25314 728124 25323 7117b3 28 API calls 25314->25323 25319 728365 25315->25319 25316->25320 25322 727fa6 25316->25322 25317->25253 25318 717fca 53 API calls 25318->25357 25319->25273 25324 72836e DialogBoxParamW 25319->25324 25329 727ef4 25320->25329 25336 715eb3 29 API calls 25320->25336 25468 714085 25321->25468 25500 711b53 GetDlgItem ShowWindow 25322->25500 25330 72813e 25323->25330 25324->25273 25331 72838c EndDialog 25324->25331 25333 7281a3 25326->25333 25329->25204 25603 715628 28 API calls _wcslen 25329->25603 25337 711770 26 API calls 25330->25337 25331->25225 25338 7283a8 25331->25338 25340 711770 26 API calls 25333->25340 25334 727fbb 25501 711b53 GetDlgItem ShowWindow 25334->25501 25343 727c99 25336->25343 25344 728149 25337->25344 25338->25225 25609 7116b3 26 API calls 25338->25609 25346 7281ae 25340->25346 25342 727f0e 25604 711170 28 API calls _wcslen 25342->25604 25596 718bcf 114 API calls 25343->25596 25351 711770 26 API calls 25344->25351 25345 727bff 25353 711770 26 API calls 25345->25353 25354 711770 26 API calls 25346->25354 25347 727fc4 25355 717fca 53 API calls 25347->25355 25349 7117b3 28 API calls 25349->25357 25351->25260 25359 727c0b 25353->25359 25354->25360 25361 727fce SetDlgItemTextW 25355->25361 25356 727f24 25362 717fca 53 API calls 25356->25362 25357->25253 25357->25284 25357->25304 25357->25318 25357->25349 25363 711770 26 API calls 25357->25363 25610 711170 28 API calls _wcslen 25357->25610 25358 727cb1 25366 71a2ad 53 API calls 25358->25366 25478 71338a 25359->25478 25360->25229 25502 711b53 GetDlgItem ShowWindow 25361->25502 25365 727f34 25362->25365 25363->25357 25605 711170 28 API calls _wcslen 25365->25605 25381 727ce0 GetCommandLineW 25366->25381 25367 727fe2 SetDlgItemTextW GetDlgItem 25370 728017 25367->25370 25371 727fff GetWindowLongW SetWindowLongW 25367->25371 25503 728caf 25370->25503 25371->25370 25372 727f3f 25375 711770 26 API calls 25372->25375 25379 727f4a 25375->25379 25376 727c40 25491 7132b8 25376->25491 25377 727c35 GetLastError 25377->25376 25378 728025 25383 728caf 48 API calls 25378->25383 25384 711770 26 API calls 25379->25384 25393 727d65 _wcslen 25381->25393 25386 72802e 25383->25386 25387 727f56 25384->25387 25534 72abd8 25386->25534 25396 717fca 53 API calls 25387->25396 25389 711770 26 API calls 25389->25316 25391 727d83 25598 727365 5 API calls 2 library calls 25391->25598 25392 728040 25395 728caf 48 API calls 25392->25395 25597 727365 5 API calls 2 library calls 25393->25597 25407 72804f 25395->25407 25397 727f6c 25396->25397 25399 7114a3 28 API calls 25397->25399 25398 727d8f 25599 727365 5 API calls 2 library calls 25398->25599 25403 727f75 25399->25403 25401 728070 25606 7119f8 GetDlgItem EnableWindow 25401->25606 25410 711770 26 API calls 25403->25410 25404 727d9b 25600 718c7e 114 API calls 25404->25600 25405 727a55 25405->25204 25405->25220 25407->25401 25409 728caf 48 API calls 25407->25409 25408 727dae 25601 72ad84 28 API calls __EH_prolog3 25408->25601 25409->25401 25412 727f91 25410->25412 25414 711770 26 API calls 25412->25414 25413 727dcb CreateFileMappingW 25415 727e35 ShellExecuteExW 25413->25415 25416 727dfd MapViewOfFile 25413->25416 25414->25204 25418 727e53 25415->25418 25417 727e32 __InternalCxxFrameHandler 25416->25417 25417->25415 25419 727e60 WaitForInputIdle 25418->25419 25420 727e9d 25418->25420 25421 727e7e 25419->25421 25423 727ed3 25420->25423 25424 727ec0 UnmapViewOfFile CloseHandle 25420->25424 25421->25420 25422 727e83 Sleep 25421->25422 25422->25420 25422->25421 25602 712962 26 API calls 25423->25602 25424->25423 25426 727edb 25427 711770 26 API calls 25426->25427 25428 727ee3 25427->25428 25429 711770 26 API calls 25428->25429 25430 727eee 25429->25430 25430->25329 25432 711b81 25431->25432 25433 711bda 25431->25433 25435 711be7 25432->25435 25614 717b5c 64 API calls 2 library calls 25432->25614 25615 717b35 GetWindowLongW SetWindowLongW 25433->25615 25435->25179 25435->25180 25435->25225 25437 711ba3 25437->25435 25438 711bb6 GetDlgItem 25437->25438 25438->25435 25439 711bc6 25438->25439 25439->25435 25440 711bcc SetWindowTextW 25439->25440 25440->25435 25616 72c468 25441->25616 25443 711a22 GetDlgItem 25444 711a51 25443->25444 25445 711a3f 25443->25445 25617 711a98 25444->25617 25447 7114a3 28 API calls 25445->25447 25448 711a4c 25447->25448 25449 711a81 25448->25449 25450 711770 26 API calls 25448->25450 25451 711a8e 25449->25451 25452 711770 26 API calls 25449->25452 25450->25449 25453 72c417 5 API calls 25451->25453 25452->25451 25454 711a95 25453->25454 25454->25204 25454->25205 25454->25405 25462 714241 __EH_prolog3_GS 25455->25462 25456 72c417 5 API calls 25457 7142f8 25456->25457 25457->25292 25457->25293 25458 7142c6 25459 714740 54 API calls 25458->25459 25461 71424b 25458->25461 25459->25461 25460 711fd0 45 API calls 25460->25462 25461->25456 25462->25458 25462->25460 25462->25461 25464 711770 26 API calls 25462->25464 25630 714740 25462->25630 25464->25462 25466 716668 25465->25466 25467 71666a SetCurrentDirectoryW 25465->25467 25466->25467 25467->25309 25469 7140a9 25468->25469 25664 713f18 25469->25664 25472 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25473 7140c6 25472->25473 25474 726620 25473->25474 25475 726630 _wcslen 25474->25475 25668 714adf 25475->25668 25477 72663e 25477->25345 25480 713396 __EH_prolog3_GS 25478->25480 25479 7133e4 25482 7160a8 47 API calls 25479->25482 25489 71348e 25479->25489 25480->25479 25481 7133f9 CreateFileW 25480->25481 25481->25479 25483 713439 25482->25483 25485 713446 25483->25485 25486 713449 CreateFileW 25483->25486 25488 71345e 25483->25488 25484 72c417 5 API calls 25487 7134cf 25484->25487 25485->25486 25486->25488 25487->25376 25487->25377 25488->25489 25677 7116b3 26 API calls 25488->25677 25489->25484 25492 7132e9 25491->25492 25499 7132fa 25491->25499 25495 7132f5 25492->25495 25496 7132fc 25492->25496 25492->25499 25493 711770 26 API calls 25494 713309 25493->25494 25494->25389 25678 7134d2 25495->25678 25683 713340 25496->25683 25499->25493 25500->25334 25501->25347 25502->25367 25520 728cbe __EH_prolog3_GS 25503->25520 25505 72a3fa 25506 711770 26 API calls 25505->25506 25507 72a405 25506->25507 25508 72c417 5 API calls 25507->25508 25509 72a40a 25508->25509 25509->25378 25510 711fd0 45 API calls 25510->25520 25511 7157f6 26 API calls 25511->25520 25512 7114a3 28 API calls 25512->25520 25514 711770 26 API calls 25514->25520 25516 719c69 28 API calls 25516->25520 25520->25505 25520->25510 25520->25511 25520->25512 25520->25514 25520->25516 25521 72a439 __EH_prolog3_GS 25520->25521 25704 719adc 30 API calls 2 library calls 25520->25704 25705 726674 28 API calls 25520->25705 25706 71a251 CompareStringW 25520->25706 25707 72b29a 26 API calls 25520->25707 25708 72726a 28 API calls 25520->25708 25709 7129a7 45 API calls 25520->25709 25522 72a4ca 25521->25522 25710 715628 28 API calls _wcslen 25521->25710 25523 72c417 5 API calls 25522->25523 25524 72a4cf 25523->25524 25524->25378 25526 72a4a3 25711 711170 28 API calls _wcslen 25526->25711 25528 72a4b2 25529 7157f6 26 API calls 25528->25529 25530 72a4ba 25529->25530 25531 711770 26 API calls 25530->25531 25532 72a4c2 25531->25532 25533 711770 26 API calls 25532->25533 25533->25522 25535 72abe4 _wcslen __EH_prolog3_catch 25534->25535 25712 71a311 25535->25712 25537 72ac0b 25716 71225a 25537->25716 25541 72ac62 25541->25392 26276 725b76 25542->26276 25545 72a7e5 25547 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25545->25547 25546 72a71f GetWindow 25546->25545 25553 72a738 25546->25553 25548 7281c6 25547->25548 25548->25187 25548->25188 25549 72a745 GetClassNameW 26281 71bf3c CompareStringW 25549->26281 25551 72a769 GetWindowLongW 25552 72a7cd GetWindow 25551->25552 25554 72a779 SendMessageW 25551->25554 25552->25545 25552->25553 25553->25545 25553->25549 25553->25551 25553->25552 25554->25552 25555 72a78f GetObjectW 25554->25555 26282 725bb5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25555->26282 25557 72a7a6 26283 725b94 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 25557->26283 26284 725faa 13 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25557->26284 25560 72a7b7 SendMessageW DeleteObject 25560->25552 25562 726382 25561->25562 25563 7263a7 25561->25563 26287 71bf3c CompareStringW 25562->26287 25565 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25563->25565 25567 7263c0 25565->25567 25566 726395 25566->25563 25568 726399 FindWindowExW 25566->25568 25569 726d92 25567->25569 25568->25563 25570 726d9e __EH_prolog3_catch 25569->25570 26288 72409d 25570->26288 25572 726db9 _wcslen 25572->25240 25573->25212 25575 711b25 25574->25575 25576 711b27 SetDlgItemTextW 25574->25576 25575->25576 25576->25218 25577->25225 25580 7275d8 5 API calls 25579->25580 25581 72a4ed GetDlgItem 25580->25581 25582 72a544 SendMessageW SendMessageW 25581->25582 25583 72a50c 25581->25583 25584 72a5a3 SendMessageW 25582->25584 25585 72a584 25582->25585 25586 72a517 ShowWindow SendMessageW SendMessageW 25583->25586 25587 72a5bb 25584->25587 25588 72a5bd SendMessageW SendMessageW 25584->25588 25585->25584 25586->25582 25587->25588 25589 72a602 SendMessageW 25588->25589 25590 72a5df SendMessageW 25588->25590 25591 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25589->25591 25590->25589 25592 72a620 25591->25592 25592->25285 25593->25237 25594->25263 25595->25262 25596->25358 25597->25391 25598->25398 25599->25404 25600->25408 25601->25413 25602->25426 25603->25342 25604->25356 25605->25372 25606->25405 25607->25314 25608->25308 25609->25273 25610->25357 25611->25302 25612->25288 25613->25275 25614->25437 25615->25435 25616->25443 25628 72c468 25617->25628 25619 711aa4 GetWindowTextLengthW 25629 7118cd 28 API calls 25619->25629 25621 711adf GetWindowTextW 25622 7114a3 28 API calls 25621->25622 25623 711afe 25622->25623 25624 711b11 25623->25624 25625 7112a3 26 API calls 25623->25625 25626 72c417 5 API calls 25624->25626 25625->25624 25627 711b18 25626->25627 25627->25448 25628->25619 25629->25621 25633 71474c __EH_prolog3_GS 25630->25633 25631 714780 25632 71444f 49 API calls 25631->25632 25635 71478c 25632->25635 25633->25631 25634 71476c CreateDirectoryW 25633->25634 25634->25631 25636 714821 25634->25636 25637 714834 GetLastError 25635->25637 25639 7160a8 47 API calls 25635->25639 25638 714830 25636->25638 25650 714a2f 25636->25650 25637->25638 25642 72c417 5 API calls 25638->25642 25641 7147b4 25639->25641 25643 7147ce 25641->25643 25645 7147c1 25641->25645 25646 7147c4 CreateDirectoryW 25641->25646 25644 714851 25642->25644 25648 7147fe 25643->25648 25649 7116b3 26 API calls 25643->25649 25644->25462 25645->25646 25646->25643 25648->25636 25648->25637 25649->25648 25651 714a3b __EH_prolog3_GS 25650->25651 25652 714a48 SetFileAttributesW 25651->25652 25653 714a5b 25652->25653 25661 714ac6 25652->25661 25655 7160a8 47 API calls 25653->25655 25654 72c417 5 API calls 25656 714adc 25654->25656 25657 714a7b 25655->25657 25656->25638 25658 714a9a 25657->25658 25659 714a88 25657->25659 25660 714a8b SetFileAttributesW 25657->25660 25658->25661 25663 7116b3 26 API calls 25658->25663 25659->25660 25660->25658 25661->25654 25663->25661 25665 713f38 25664->25665 25666 713f2f 25664->25666 25667 71122c 28 API calls 25665->25667 25666->25472 25667->25666 25669 714bb7 25668->25669 25670 714af2 25668->25670 25676 7129a7 45 API calls 25669->25676 25674 714b04 25670->25674 25675 713f4e 28 API calls 25670->25675 25674->25477 25675->25674 25677->25489 25679 713505 25678->25679 25680 7134db 25678->25680 25679->25499 25680->25679 25689 7143a5 25680->25689 25684 71334c 25683->25684 25686 713366 25683->25686 25684->25686 25687 713358 FindCloseChangeNotification 25684->25687 25685 713385 25685->25499 25686->25685 25703 712d9e 109 API calls 25686->25703 25687->25686 25690 7143b1 __EH_prolog3_GS 25689->25690 25691 7143be DeleteFileW 25690->25691 25692 7143ce 25691->25692 25701 714436 25691->25701 25694 7160a8 47 API calls 25692->25694 25693 72c417 5 API calls 25695 713503 25693->25695 25696 7143ee 25694->25696 25695->25499 25697 71440a 25696->25697 25698 7143fb 25696->25698 25699 7143fe DeleteFileW 25696->25699 25697->25701 25702 7116b3 26 API calls 25697->25702 25698->25699 25699->25697 25701->25693 25702->25701 25703->25685 25704->25520 25705->25520 25706->25520 25707->25520 25708->25520 25710->25526 25711->25528 25713 71a321 _wcslen 25712->25713 25714 711917 28 API calls 25713->25714 25715 71a343 25714->25715 25715->25537 25717 71a2fc 25716->25717 25718 71a311 28 API calls 25717->25718 25719 71a30e 25718->25719 25720 723af4 25719->25720 25721 723b06 __cftof 25720->25721 25732 718b2d 25721->25732 25723 723bb8 __cftof 25736 7236a7 25723->25736 25725 723c0a 25742 723d87 25725->25742 25727 723c1a 25731 723c1e 25727->25731 25750 721380 25727->25750 25729 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25730 723cf9 25729->25730 25730->25541 25731->25729 25733 718b39 __EH_prolog3 25732->25733 25780 711c02 25733->25780 25735 718b52 25735->25723 25737 72372f __InternalCxxFrameHandler 25736->25737 25738 7157f6 26 API calls 25737->25738 25739 72391e 25738->25739 25785 722684 25739->25785 25743 73369a ___std_exception_copy 21 API calls 25742->25743 25744 723d91 25743->25744 25745 73369a ___std_exception_copy 21 API calls 25744->25745 25746 723da2 25745->25746 25747 723dbb 25746->25747 25790 712ec7 89 API calls 25746->25790 25747->25727 25749 723dd3 25749->25727 25751 72138c __EH_prolog3_GS 25750->25751 25791 721d76 25751->25791 25754 7214d4 25758 7214d2 25754->25758 25915 712edc 110 API calls 25754->25915 25756 7213b6 25756->25758 25760 711fa4 28 API calls 25756->25760 25759 72c417 5 API calls 25758->25759 25761 721514 25759->25761 25762 7213cb 25760->25762 25761->25731 25817 71cb19 72 API calls 2 library calls 25762->25817 25765 72148d 25767 711770 26 API calls 25765->25767 25766 711770 26 API calls 25774 7213d8 25766->25774 25768 721492 25767->25768 25769 711770 26 API calls 25768->25769 25770 72149e 25769->25770 25825 71f7fa 25770->25825 25772 711fa4 28 API calls 25772->25774 25774->25765 25774->25766 25774->25772 25818 714c75 25774->25818 25913 71cb19 72 API calls 2 library calls 25774->25913 25778 7214c7 25914 712d47 89 API calls 25778->25914 25781 7112cf 28 API calls 25780->25781 25782 711c10 25781->25782 25783 7111d8 28 API calls 25782->25783 25784 711c16 25783->25784 25784->25735 25786 722693 25785->25786 25787 7226a0 25785->25787 25789 7225fc 28 API calls 25786->25789 25787->25725 25789->25787 25790->25749 25792 721d82 __EH_prolog3_GS 25791->25792 25793 714c75 53 API calls 25792->25793 25794 721dbe 25793->25794 25797 721dd8 25794->25797 25916 71f479 110 API calls __EH_prolog3 25794->25916 25796 721dd4 25796->25797 25917 723e15 25796->25917 25798 711770 26 API calls 25797->25798 25799 722008 25798->25799 25801 72c417 5 API calls 25799->25801 25802 721391 25801->25802 25802->25754 25802->25756 25912 712d47 89 API calls 25802->25912 25807 721e5b 25807->25797 25808 71f7fa 111 API calls 25807->25808 25809 721f33 25808->25809 25809->25797 25939 71f5b7 25809->25939 25811 721f4c 25812 71f7fa 111 API calls 25811->25812 25815 721f8d 25811->25815 25813 721f7b 25812->25813 25813->25797 25814 71f5b7 120 API calls 25813->25814 25814->25815 25815->25797 25945 712d47 89 API calls 25815->25945 25817->25774 25952 716417 25818->25952 25823 714c9c FindClose 25824 714caf 25823->25824 25824->25774 25826 71f820 __allrem 25825->25826 25827 71f834 25826->25827 25828 713cf0 111 API calls 25826->25828 25829 71cea4 25827->25829 25828->25827 25830 71cf5c 25829->25830 25831 7114a3 28 API calls 25830->25831 25832 71cf6d 25831->25832 25988 71b844 25832->25988 25835 711770 26 API calls 25836 71cf9a 25835->25836 25991 71cb78 25836->25991 25842 71e26f 25844 71e2ec 25842->25844 25846 71e288 25842->25846 25849 71e312 25844->25849 26120 712d47 89 API calls 25844->26120 25845 7114a3 28 API calls 25845->25846 25846->25842 25846->25844 25846->25845 25851 711770 26 API calls 25846->25851 26119 714862 55 API calls __EH_prolog3_GS 25846->26119 25850 71e34f 25849->25850 26121 712c45 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25849->26121 26122 71c34e 26 API calls 25850->26122 25851->25846 25852 7114a3 28 API calls 25893 71cfe9 __InternalCxxFrameHandler __cftof _wcslen __allrem 25852->25893 25856 71e3b0 26123 71c9b3 26 API calls 25856->26123 25857 716679 45 API calls 25857->25893 25858 71ca6f 47 API calls 25858->25893 25861 71e3b8 26124 71ce2b 26 API calls 25861->26124 25863 71e3c0 25865 711770 26 API calls 25863->25865 25864 71f479 110 API calls 25864->25893 25867 71e3cb 25865->25867 25866 71f5b7 120 API calls 25866->25893 26125 71c98f 26 API calls 25867->26125 25869 71b844 91 API calls 25869->25893 25870 71e3d6 25872 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25870->25872 25871 712d47 89 API calls 25871->25893 25874 71e3f3 25872->25874 25873 711770 26 API calls 25873->25893 25874->25754 25874->25778 25875 71f9d1 120 API calls 25875->25893 25877 71f0de 127 API calls 25877->25893 25878 71f7fa 111 API calls 25878->25893 25879 71eaad 28 API calls 25879->25893 25880 724166 32 API calls 25880->25893 25881 719f55 26 API calls 25881->25893 25883 7166f1 28 API calls 25883->25893 25893->25842 25893->25852 25893->25857 25893->25858 25893->25864 25893->25866 25893->25869 25893->25871 25893->25873 25893->25875 25893->25877 25893->25878 25893->25879 25893->25880 25893->25881 25893->25883 25895 711fa4 28 API calls 25893->25895 25896 712c81 89 API calls 25893->25896 25903 71e268 25893->25903 25904 71444f 49 API calls 25893->25904 25906 714740 54 API calls 25893->25906 25907 714235 54 API calls 25893->25907 25911 713cf0 111 API calls 25893->25911 26003 722010 25893->26003 26008 71ac74 25893->26008 26011 722199 25893->26011 26016 715af6 25893->26016 26026 71b85d 25893->26026 26044 71ee8e 25893->26044 26056 71e3fb 25893->26056 26101 71c475 28 API calls 25893->26101 26102 71c6db 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25893->26102 26103 719f79 28 API calls 25893->26103 26104 71c7a7 28 API calls 25893->26104 26105 71c0ce 28 API calls 25893->26105 26106 712767 49 API calls __EH_prolog3_GS 25893->26106 26107 71eccc 89 API calls 25893->26107 26108 71c9fb 26 API calls 25893->26108 26109 71cb19 72 API calls 2 library calls 25893->26109 26110 7116b3 26 API calls 25893->26110 26111 71c156 28 API calls __InternalCxxFrameHandler 25893->26111 26112 71453a 119 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25893->26112 26113 713030 109 API calls __EH_prolog3_GS 25893->26113 26114 71c661 28 API calls 25893->26114 26115 71c24d 28 API calls __EH_prolog3_catch 25893->26115 26116 71b67c 61 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25893->26116 26117 722993 125 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25893->26117 25895->25893 25896->25893 26118 712c14 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25903->26118 25904->25893 25906->25893 25907->25893 25911->25893 25912->25756 25913->25774 25914->25758 25915->25758 25916->25796 25920 723e4b 25917->25920 25918 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25919 721dea 25918->25919 25921 7217b1 25919->25921 25920->25918 25922 7217e2 25921->25922 25928 721882 __allrem 25921->25928 25923 7217ec 25922->25923 25922->25928 25946 71f9d1 120 API calls __EH_prolog3_GS 25923->25946 25925 721863 25930 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25925->25930 25926 71f5b7 120 API calls 25935 721ae2 25926->25935 25927 721817 25927->25925 25927->25926 25934 7218f9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _strncpy 25928->25934 25937 713cf0 111 API calls 25928->25937 25929 7218de 25947 71f9d1 120 API calls __EH_prolog3_GS 25929->25947 25932 721bc4 25930->25932 25932->25797 25938 7225bf 127 API calls 25932->25938 25934->25925 25934->25927 25948 71f9d1 120 API calls __EH_prolog3_GS 25934->25948 25935->25925 25949 721515 120 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 25935->25949 25937->25929 25938->25807 25940 71f67a 25939->25940 25943 71f5c9 __InternalCxxFrameHandler 25939->25943 25940->25811 25942 71f67c 25951 712f5d 109 API calls 25942->25951 25943->25940 25943->25942 25950 71f9d1 120 API calls __EH_prolog3_GS 25943->25950 25945->25797 25946->25927 25947->25934 25948->25934 25949->25925 25950->25943 25951->25940 25953 716429 25952->25953 25979 713215 25953->25979 25956 714d8a 25957 714d99 __EH_prolog3_GS 25956->25957 25958 714e89 FindNextFileW 25957->25958 25959 714dab FindFirstFileW 25957->25959 25960 714e9b GetLastError 25958->25960 25961 714eac 25958->25961 25959->25961 25963 714dce 25959->25963 25965 714e71 25960->25965 25967 7114a3 28 API calls 25961->25967 25964 7160a8 47 API calls 25963->25964 25968 714df0 25964->25968 25966 72c417 5 API calls 25965->25966 25969 714c97 25966->25969 25970 714ec3 25967->25970 25971 714e10 25968->25971 25973 714e00 FindFirstFileW 25968->25973 25969->25823 25969->25824 25972 7166d5 45 API calls 25970->25972 25978 714e4c 25971->25978 25987 7116b3 26 API calls 25971->25987 25974 714ed4 25972->25974 25973->25971 25977 711770 26 API calls 25974->25977 25975 714e66 GetLastError 25975->25965 25977->25965 25978->25961 25978->25975 25980 713221 _wcslen 25979->25980 25983 712afe 25980->25983 25986 712b41 __cftof 25983->25986 25984 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 25985 712bb3 25984->25985 25985->25824 25985->25956 25986->25984 25987->25978 26126 72b0da 25988->26126 26152 71c437 25991->26152 25994 7111d8 28 API calls 25995 71cb8c 25994->25995 25996 71c62c 25995->25996 25997 71c63a 25996->25997 26158 71c0ae 25997->26158 26000 71c014 26001 72c386 28 API calls 26000->26001 26002 71c01b 26001->26002 26002->25893 26004 71f5b7 120 API calls 26003->26004 26007 72202b 26004->26007 26005 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26006 722197 26005->26006 26006->25893 26007->26005 26163 71acd0 SystemTimeToFileTime 26008->26163 26012 71f5b7 120 API calls 26011->26012 26015 7221b4 26012->26015 26013 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26014 7222e9 26013->26014 26014->25893 26015->26013 26025 715b20 26016->26025 26017 715ce1 26019 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26017->26019 26018 711fd0 45 API calls 26020 715ccc 26018->26020 26021 715cf1 26019->26021 26022 7157f6 26 API calls 26020->26022 26021->25893 26023 715cd8 26022->26023 26024 711770 26 API calls 26023->26024 26024->26017 26025->26017 26025->26018 26026->25893 26027 72b157 __EH_prolog3_GS 26026->26027 26028 717fca 53 API calls 26027->26028 26029 72b1a0 26028->26029 26030 71a2ad 53 API calls 26029->26030 26031 72b1aa 26030->26031 26032 7157f6 26 API calls 26031->26032 26033 72b1b6 26032->26033 26034 711770 26 API calls 26033->26034 26035 72b1be 26034->26035 26036 711b1b SetDlgItemTextW 26035->26036 26037 72b1cf 26036->26037 26172 7275d8 PeekMessageW 26037->26172 26040 72c417 5 API calls 26042 72b220 26040->26042 26042->25893 26043 72b20a 26043->26040 26045 71ee9d __EH_prolog3_GS 26044->26045 26178 7166f1 28 API calls 26045->26178 26047 71eec1 26048 714c75 53 API calls 26047->26048 26049 71eefd 26048->26049 26050 711770 26 API calls 26049->26050 26051 71ef21 26050->26051 26055 71ef59 26051->26055 26179 7116b3 26 API calls 26051->26179 26052 72c417 5 API calls 26054 71ef75 26052->26054 26054->25893 26055->26052 26057 71e444 26056->26057 26061 71e47e __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 26056->26061 26180 71f4ee 26057->26180 26060 71e54b 26063 71e59c 26060->26063 26070 71e605 26060->26070 26061->26060 26203 713d79 SetEndOfFile 26061->26203 26062 714235 54 API calls 26064 71e45d 26062->26064 26065 71e5d6 26063->26065 26067 71e5a6 26063->26067 26066 71f4ee 57 API calls 26064->26066 26194 72009a 26065->26194 26068 71e462 26066->26068 26204 713165 89 API calls 26067->26204 26068->26061 26072 71e466 26068->26072 26098 71e70d 26070->26098 26211 71f69f 120 API calls 26070->26211 26212 71b80d 26070->26212 26215 71f359 26070->26215 26202 712dc6 109 API calls 26072->26202 26075 71e5e5 26080 71e752 26075->26080 26219 712ec7 89 API calls 26075->26219 26076 71e5b6 26077 71e476 26076->26077 26205 71ef7a 26076->26205 26078 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26077->26078 26079 71e907 26078->26079 26079->25893 26091 71e811 26080->26091 26220 72310d IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 26080->26220 26083 71f359 114 API calls 26083->26075 26087 7143a5 49 API calls 26087->26077 26089 71e8d6 26090 71e8e4 26089->26090 26093 71ef7a 51 API calls 26089->26093 26090->26077 26096 7143a5 49 API calls 26090->26096 26095 71e859 26091->26095 26222 712c81 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26091->26222 26093->26090 26095->26089 26095->26090 26223 713d79 SetEndOfFile 26095->26223 26096->26077 26097 71e772 26097->26091 26221 71f69f 120 API calls 26097->26221 26098->26075 26098->26083 26101->25893 26102->25893 26103->25893 26104->25893 26105->25893 26106->25893 26107->25893 26109->25893 26110->25893 26111->25893 26112->25893 26113->25893 26114->25893 26115->25893 26116->25893 26117->25893 26118->25842 26119->25846 26120->25849 26121->25850 26122->25856 26123->25861 26124->25863 26125->25870 26127 72b0e6 __EH_prolog3_GS 26126->26127 26128 71654f 45 API calls 26127->26128 26129 72b109 26128->26129 26130 717fca 53 API calls 26129->26130 26131 72b11c 26130->26131 26132 71a2ad 53 API calls 26131->26132 26133 72b126 26132->26133 26134 711770 26 API calls 26133->26134 26135 72b135 26134->26135 26142 72adf6 26135->26142 26138 711770 26 API calls 26139 72b14f 26138->26139 26140 72c417 5 API calls 26139->26140 26141 71b85a 26140->26141 26141->25835 26143 72ae02 __EH_prolog3_GS 26142->26143 26144 7114a3 28 API calls 26143->26144 26145 72ae0e 26144->26145 26146 72a4d2 21 API calls 26145->26146 26147 72ae1d 26146->26147 26148 711770 26 API calls 26147->26148 26149 72ae25 26148->26149 26150 72c417 5 API calls 26149->26150 26151 72ae2a 26150->26151 26151->26138 26153 71c442 26152->26153 26154 71c44b 26152->26154 26153->25994 26157 71172f 27 API calls 2 library calls 26154->26157 26156 71c450 26157->26156 26159 71c0b5 26158->26159 26160 71c0ca 26159->26160 26162 71ca43 26 API calls 26159->26162 26160->26000 26162->26159 26164 71ad41 26163->26164 26165 71adcc 26163->26165 26166 715032 6 API calls 26164->26166 26168 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26165->26168 26167 71ad46 26166->26167 26169 71ad67 FileTimeToSystemTime TzSpecificLocalTimeToSystemTime SystemTimeToFileTime SystemTimeToFileTime 26167->26169 26170 71ad4d LocalFileTimeToFileTime 26167->26170 26171 71accc 26168->26171 26169->26165 26170->26165 26171->25893 26173 7275f3 GetMessageW 26172->26173 26174 72762c 26172->26174 26175 727618 TranslateMessage DispatchMessageW 26173->26175 26176 727609 IsDialogMessageW 26173->26176 26174->26043 26177 7116b3 26 API calls 26174->26177 26175->26174 26176->26174 26176->26175 26177->26043 26178->26047 26179->26055 26181 71f4fa __EH_prolog3_GS 26180->26181 26182 714c75 53 API calls 26181->26182 26185 71f534 26182->26185 26183 71f54a 26184 72c386 28 API calls 26183->26184 26187 71f551 26184->26187 26185->26183 26224 714854 49 API calls 26185->26224 26188 71338a 49 API calls 26187->26188 26189 71f57d 26188->26189 26190 711770 26 API calls 26189->26190 26191 71f5af 26190->26191 26192 72c417 5 API calls 26191->26192 26193 71e449 26192->26193 26193->26061 26193->26062 26195 7200cc 26194->26195 26197 72022f 26195->26197 26198 71b80d 6 API calls 26195->26198 26199 7201d0 26195->26199 26201 713cf0 111 API calls 26195->26201 26225 72023e 26195->26225 26197->26075 26198->26195 26239 71fbb0 114 API calls 26199->26239 26201->26195 26202->26077 26203->26060 26204->26076 26206 71ef8a 26205->26206 26207 71efc4 26205->26207 26245 713c12 26206->26245 26209 71e5c8 26207->26209 26210 714a2f 49 API calls 26207->26210 26209->26087 26210->26209 26211->26070 26250 72b00b 26212->26250 26216 71f36f 26215->26216 26217 71f3b8 26216->26217 26257 713d88 26216->26257 26217->26070 26219->26080 26220->26097 26221->26097 26222->26095 26223->26089 26224->26183 26231 720255 26225->26231 26236 7202ae 26225->26236 26226 720345 26242 720870 125 API calls 2 library calls 26226->26242 26227 72034c 26230 720350 26227->26230 26234 720357 26227->26234 26243 721189 125 API calls 26230->26243 26231->26236 26240 71f69f 120 API calls 26231->26240 26233 72034a 26233->26195 26234->26233 26244 721024 125 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26234->26244 26236->26233 26238 720324 26236->26238 26241 71f69f 120 API calls 26236->26241 26238->26226 26238->26227 26238->26233 26239->26197 26240->26231 26241->26236 26242->26233 26243->26233 26244->26233 26246 713c23 26245->26246 26248 713c32 26245->26248 26247 713c29 FlushFileBuffers 26246->26247 26246->26248 26247->26248 26249 713caf SetFileTime 26248->26249 26249->26207 26255 7197cd 26250->26255 26252 72b022 SendDlgItemMessageW 26253 7275d8 5 API calls 26252->26253 26254 71b82d 26253->26254 26254->26070 26256 7197db 26255->26256 26256->26252 26258 713d94 __EH_prolog3_GS 26257->26258 26259 713db6 GetStdHandle 26258->26259 26265 713da3 26258->26265 26271 713dc8 26258->26271 26259->26271 26260 72c417 5 API calls 26261 713eeb 26260->26261 26261->26217 26262 713e1f WriteFile 26262->26271 26263 713ded 26264 713def WriteFile 26263->26264 26263->26271 26264->26263 26264->26271 26265->26260 26267 713eb7 26268 7114a3 28 API calls 26267->26268 26269 713ec4 26268->26269 26275 713183 109 API calls 26269->26275 26271->26262 26271->26263 26271->26264 26271->26265 26271->26267 26274 712d73 111 API calls 26271->26274 26272 713ed7 26273 711770 26 API calls 26272->26273 26273->26265 26274->26271 26275->26272 26285 725b94 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26276->26285 26278 725b7d 26279 725b89 26278->26279 26286 725bb5 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 26278->26286 26279->25545 26279->25546 26281->25553 26282->25557 26283->25557 26284->25560 26285->26278 26286->26279 26287->25566 26293 723f16 26288->26293 26290 7240ba 26292 7240f0 26290->26292 26303 71b976 MultiByteToWideChar 26290->26303 26292->25572 26294 723f22 __EH_prolog3_GS 26293->26294 26304 713650 26294->26304 26297 723f51 26299 7132b8 114 API calls 26297->26299 26300 723f59 26299->26300 26301 72c417 5 API calls 26300->26301 26302 723f5e 26301->26302 26302->26290 26303->26292 26305 71369b CreateFileW 26304->26305 26307 71372a GetLastError 26305->26307 26317 7137c1 26305->26317 26308 7160a8 47 API calls 26307->26308 26309 713758 26308->26309 26311 713765 26309->26311 26312 713768 CreateFileW GetLastError 26309->26312 26316 71378e 26309->26316 26310 71381f 26315 711770 26 API calls 26310->26315 26311->26312 26314 71378a 26312->26314 26312->26316 26313 713805 SetFileTime 26313->26310 26314->26316 26318 71384c 26315->26318 26316->26317 26328 7116b3 26 API calls 26316->26328 26317->26310 26317->26313 26319 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26318->26319 26321 713866 26319->26321 26321->26297 26322 723f61 26321->26322 26323 723f6e 26322->26323 26324 723e15 5 API calls 26323->26324 26325 72400e __InternalCxxFrameHandler 26323->26325 26326 723f86 26324->26326 26325->26297 26326->26325 26329 712c45 89 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 26326->26329 26328->26317 26329->26325 26330 72c310 26331 72c326 _com_error::_com_error 26330->26331 26332 72dd8a std::_Xinvalid_argument RaiseException 26331->26332 26333 72c334 26332->26333 26334 72bdd7 ___delayLoadHelper2@8 17 API calls 26333->26334 26335 72c34c 26334->26335 26336 71fbd3 26339 71fc1e __cftof 26336->26339 26337 72c3c4 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 26338 720046 26337->26338 26340 73369a ___std_exception_copy 21 API calls 26339->26340 26341 71fc57 26339->26341 26340->26339 26341->26337 26342 72b88a 26343 72b78e 26342->26343 26344 72bdd7 ___delayLoadHelper2@8 17 API calls 26343->26344 26344->26343

    Executed Functions

    Function 0072B2FE Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 252filesleeptimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 502 72b2fe-72b3c6 call 71a590 call 715d94 call 72655d call 72dc30 call 726961 call 726913 GetCommandLineW 515 72b3cc-72b3f0 call 7114a3 call 72894e call 711770 502->515 516 72b4ad-72b4d6 call 715eb3 call 7157f6 call 711770 502->516 529 72b490-72b4a8 call 7114a3 call 72ae2d call 711770 515->529 530 72b3f6-72b40d OpenFileMappingW 515->530 531 72b4d8 516->531 532 72b4dd-72b5e5 SetEnvironmentVariableW GetLocalTime call 714c1e SetEnvironmentVariableW GetModuleHandleW LoadIconW call 727745 call 7171ea call 724326 * 2 DialogBoxParamW call 724418 * 2 516->532 529->516 534 72b486-72b48e CloseHandle 530->534 535 72b40f-72b41d MapViewOfFile 530->535 531->532 566 72b5e7-72b5e8 Sleep 532->566 567 72b5ee-72b5f5 532->567 534->516 535->534 539 72b41f-72b43b UnmapViewOfFile MapViewOfFile 535->539 539->534 542 72b43d-72b480 call 726bf9 call 72ae2d call 718c7e call 718d34 call 718d6d UnmapViewOfFile 539->542 542->534 566->567 568 72b5f7 call 726b0c 567->568 569 72b5fc-72b619 call 718bb6 DeleteObject 567->569 568->569 573 72b622-72b628 569->573 574 72b61b-72b61c DeleteObject 569->574 575 72b642-72b650 573->575 576 72b62a-72b631 573->576 574->573 578 72b652-72b65e call 72af00 CloseHandle 575->578 579 72b664-72b671 575->579 576->575 577 72b633-72b63d call 712fe8 576->577 577->575 578->579 582 72b673-72b67f 579->582 583 72b695-72b699 call 7265c3 579->583 586 72b681-72b689 582->586 587 72b68f-72b691 582->587 590 72b69e-72b6b7 call 72c3c4 583->590 586->583 588 72b68b-72b68d 586->588 587->583 589 72b693 587->589 588->583 589->583
    APIs
      • Part of subcall function 0071A590: GetModuleHandleW.KERNEL32(kernel32,D5FC40FB), ref: 0071A5DC
      • Part of subcall function 0071A590: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0071A5EE
      • Part of subcall function 0071A590: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0071A618
      • Part of subcall function 00715D94: __EH_prolog3.LIBCMT ref: 00715D9B
      • Part of subcall function 00715D94: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00716209,?,000000FF,\\?\,D5FC40FB,?,000000FF,?,?,0073FF80,000000FF), ref: 00715DA4
      • Part of subcall function 0072655D: OleInitialize.OLE32(00000000), ref: 00726576
      • Part of subcall function 0072655D: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 007265AD
      • Part of subcall function 0072655D: SHGetMalloc.SHELL32(0076AA78), ref: 007265B7
    • GetCommandLineW.KERNEL32 ref: 0072B3BC
    • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp,?,00000000), ref: 0072B403
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000009,?,00000000), ref: 0072B415
    • UnmapViewOfFile.KERNEL32(00000000,?,00000000), ref: 0072B423
    • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,?,?,00000000), ref: 0072B431
      • Part of subcall function 00726BF9: __EH_prolog3.LIBCMT ref: 00726C00
      • Part of subcall function 0072AE2D: __EH_prolog3_GS.LIBCMT ref: 0072AE34
      • Part of subcall function 0072AE2D: SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 0072AE4C
      • Part of subcall function 0072AE2D: SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 0072AEB7
      • Part of subcall function 00718D34: _wcslen.LIBCMT ref: 00718D58
    • UnmapViewOfFile.KERNEL32(00000000,0076AB80,00000400,0076AB80,0076AB80,00000400,00000000,00000001,?,00000000), ref: 0072B480
    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0072B487
    • SetEnvironmentVariableW.KERNEL32(sfxname,0074E668,00000000), ref: 0072B4E3
    • GetLocalTime.KERNEL32(?), ref: 0072B4EE
    • _swprintf.LIBCMT ref: 0072B52D
    • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 0072B542
    • GetModuleHandleW.KERNEL32(00000000), ref: 0072B549
    • LoadIconW.USER32(00000000,00000064), ref: 0072B560
    • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_00017860,00000000), ref: 0072B5B7
    • Sleep.KERNEL32(00000000), ref: 0072B5E8
    • DeleteObject.GDI32 ref: 0072B60C
    • DeleteObject.GDI32(00050E1A), ref: 0072B61C
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
      • Part of subcall function 0072894E: __EH_prolog3_GS.LIBCMT ref: 00728955
    • CloseHandle.KERNEL32 ref: 0072B65E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: File$EnvironmentHandleVariableView$AddressCloseDeleteH_prolog3H_prolog3_ModuleObjectProcUnmap_wcslen$CommandCurrentDialogDirectoryGdiplusIconInitializeLineLoadLocalMallocMappingOpenParamSleepStartupTime_swprintf
    • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$ht$sfxname$sfxstime$winrarsfxmappingfile.tmp
    • API String ID: 3142445277-2829514963
    • Opcode ID: 454a9b3b73469be2e35f8c2c5b4bf5a6f4f0e24909573dd87016fce1ab55e6aa
    • Instruction ID: 59e6c6d545e28b66a41e446a6f049d0ddda79121b081a02ee63320852a741b84
    • Opcode Fuzzy Hash: 454a9b3b73469be2e35f8c2c5b4bf5a6f4f0e24909573dd87016fce1ab55e6aa
    • Instruction Fuzzy Hash: BB91A2B1504354EFC321EF64EC49FAB77E8AB49700F40881EF54AA2292DB7C9945CF66
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071720F Relevance: 21.8, APIs: 2, Strings: 10, Instructions: 753COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0071B976: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,0071B946,?,?,?,?,0000000C), ref: 0071B992
    • _wcslen.LIBCMT ref: 0071760C
    • __fprintf_l.LIBCMT ref: 00717759
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_wcslen
    • String ID: ,$$%s:$*messages***$*messages***$@%s:$@'t$P't$RTL$`'t$l't
    • API String ID: 1796436225-1881979431
    • Opcode ID: dd14cd8cafb29c69ce98e4c92d4d88a23954e6e1c7f5b61d37081395a70a6abd
    • Instruction ID: e3abe5eb2c3d52ec3ea1b446d4a40699b43c5b3fa35f012ecb43cf152992b18a
    • Opcode Fuzzy Hash: dd14cd8cafb29c69ce98e4c92d4d88a23954e6e1c7f5b61d37081395a70a6abd
    • Instruction Fuzzy Hash: 8652A571904259EBDF28DFACC889AEE77B5FF04310F50452AF505AB2C1E7789A85CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00725C5C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 982 725c5c-725c79 FindResourceW 983 725d75 982->983 984 725c7f-725c90 SizeofResource 982->984 985 725d77-725d7b 983->985 984->983 986 725c96-725ca5 LoadResource 984->986 986->983 987 725cab-725cb6 LockResource 986->987 987->983 988 725cbc-725cd1 GlobalAlloc 987->988 989 725cd7-725ce0 GlobalLock 988->989 990 725d6d-725d73 988->990 991 725d66-725d67 GlobalFree 989->991 992 725ce6-725d04 call 72d6b0 989->992 990->985 991->990 996 725d06-725d28 call 725bd6 992->996 997 725d5f-725d60 GlobalUnlock 992->997 996->997 1002 725d2a-725d32 996->1002 997->991 1003 725d34-725d48 GdipCreateHBITMAPFromBitmap 1002->1003 1004 725d4d-725d5b 1002->1004 1003->1004 1005 725d4a 1003->1005 1004->997 1005->1004
    APIs
    • FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,007277A5,00000066), ref: 00725C6F
    • SizeofResource.KERNEL32(00000000,?,?,?,007277A5,00000066), ref: 00725C86
    • LoadResource.KERNEL32(00000000,?,?,?,007277A5,00000066), ref: 00725C9D
    • LockResource.KERNEL32(00000000,?,?,?,007277A5,00000066), ref: 00725CAC
    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,007277A5,00000066), ref: 00725CC7
    • GlobalLock.KERNEL32(00000000,?,?,?,?,?,007277A5,00000066), ref: 00725CD8
    • GlobalUnlock.KERNEL32(00000000), ref: 00725D60
      • Part of subcall function 00725BD6: GdipAlloc.GDIPLUS(00000010), ref: 00725BDC
    • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00725D41
    • GlobalFree.KERNEL32(00000000), ref: 00725D67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: GlobalResource$AllocGdipLock$BitmapCreateFindFreeFromLoadSizeofUnlock
    • String ID: PNG
    • API String ID: 541704414-364855578
    • Opcode ID: 177fc33ef74cd11638f5504258731ef3b36ef86343fc677466c437f4080fdca0
    • Instruction ID: 2e44f4759dbd8072bada09125c6185de9414203b339ea89d2c04696e28fea821
    • Opcode Fuzzy Hash: 177fc33ef74cd11638f5504258731ef3b36ef86343fc677466c437f4080fdca0
    • Instruction Fuzzy Hash: 7F319F75600B26BFC3109F21EC8C92BBBA9FF46751704851AF90692272EB79DC11CEA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714D8A Relevance: 9.1, APIs: 6, Instructions: 139fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1740 714d8a-714da5 call 72c468 1743 714e89-714e99 FindNextFileW 1740->1743 1744 714dab-714db1 1740->1744 1745 714e9b-714eaa GetLastError 1743->1745 1746 714eac-714f5e call 7121d7 call 7114a3 call 7166d5 call 711770 call 71ae56 * 3 1743->1746 1747 714db3 1744->1747 1748 714db5-714dc8 FindFirstFileW 1744->1748 1749 714e81-714e84 1745->1749 1754 714f63-714f6e call 72c417 1746->1754 1747->1748 1748->1746 1751 714dce-714df2 call 7160a8 1748->1751 1749->1754 1760 714e10-714e1a 1751->1760 1761 714df4-714dfb 1751->1761 1762 714e61-714e64 1760->1762 1763 714e1c-714e37 1760->1763 1765 714e00-714e0e FindFirstFileW 1761->1765 1766 714dfd 1761->1766 1762->1746 1770 714e66-714e6f GetLastError 1762->1770 1767 714e39-714e52 call 7116b3 1763->1767 1768 714e58-714e60 call 72c3b6 1763->1768 1765->1760 1766->1765 1767->1768 1768->1762 1774 714e71-714e74 1770->1774 1775 714e7f 1770->1775 1774->1775 1779 714e76-714e79 1774->1779 1775->1749 1779->1775 1781 714e7b-714e7d 1779->1781 1781->1749
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00714D94
    • FindFirstFileW.KERNELBASE(?,-00000278,00000274,00714C97,000000FF,?,?,?,?,0071FA7D,0076B1E4,-00000070,00000000), ref: 00714DBD
    • FindFirstFileW.KERNELBASE(-00000028,-00000278,?,-00000028,?,?,?,?,?,?,?,?,?,?,0072114C,00000000), ref: 00714E08
    • GetLastError.KERNEL32(?,-00000028,?,?,?,?,?,?,?,?,?,?,0072114C,00000000), ref: 00714E66
    • FindNextFileW.KERNEL32(?,-00000278,00000274,00714C97,000000FF,?,?,?,?,0071FA7D,0076B1E4,-00000070,00000000), ref: 00714E91
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0072114C,00000000), ref: 00714E9E
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FileFind$ErrorFirstLast$H_prolog3_Next
    • String ID:
    • API String ID: 3831798110-0
    • Opcode ID: f7860fb5a02b47719c07ab1577475be75f68722ae58b7d362a3a3ef1c5498c3c
    • Instruction ID: eb5398be7e13ab1a4b68224e957422975302faab7a516ebf0e1635e016a6e229
    • Opcode Fuzzy Hash: f7860fb5a02b47719c07ab1577475be75f68722ae58b7d362a3a3ef1c5498c3c
    • Instruction Fuzzy Hash: F5516E75904219DFCF14DF68D889AEDB7B4BF08320F100299E419A32D1DB38AAD9CF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007353C2 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(007363DC,?,00735398,007363DC,0074C1F0,0000000C,007354EF,007363DC,00000002,00000000,?,007363DC), ref: 007353E3
    • TerminateProcess.KERNEL32(00000000,?,00735398,007363DC,0074C1F0,0000000C,007354EF,007363DC,00000002,00000000,?,007363DC), ref: 007353EA
    • ExitProcess.KERNEL32 ref: 007353FC
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 213fff598b26a31626913f2e975b6e43eefab577c0b2a63b28ac72a68b792397
    • Instruction ID: 1e64ae53b2c01344f68117900a313a0fbdb94dc23aabb48406c7015de61bdafe
    • Opcode Fuzzy Hash: 213fff598b26a31626913f2e975b6e43eefab577c0b2a63b28ac72a68b792397
    • Instruction Fuzzy Hash: A6E04635000688EBDF016F68CD08A893B6AEB01385F908014F9068A133CB3DEC93CA84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071E3FB Relevance: 1.9, APIs: 1, Instructions: 352COMMON
    Download Yara Rule
    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0071E4C0
      • Part of subcall function 0071F4EE: __EH_prolog3_GS.LIBCMT ref: 0071F4F5
      • Part of subcall function 00714235: __EH_prolog3_GS.LIBCMT ref: 0071423C
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_$Unothrow_t@std@@@__ehfuncinfo$??2@
    • String ID:
    • API String ID: 4214654750-0
    • Opcode ID: 04e3e20b1b31fe8b9f92e718ec95e0e4f21536d8f16895ffa934f81417344d94
    • Instruction ID: b3f3926ee1416778af21d78c539e499e83a91c6b2f2045f7503ed23936267ed0
    • Opcode Fuzzy Hash: 04e3e20b1b31fe8b9f92e718ec95e0e4f21536d8f16895ffa934f81417344d94
    • Instruction Fuzzy Hash: 9ED1A070504341AFD725AF2CEC496A93BA5FB55314F088229FC52A32E2D7BC98C1CF5A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071FBD3 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID: c
    • API String ID: 0-112844655
    • Opcode ID: 491923b985624419b869fd99ba8d53ee05ad7a4b418d2b4e23a66a19db910dea
    • Instruction ID: fc2425437b3e14ea81780671f67030a1d619f4e0bfaaeab4c6b8cb19b92e8001
    • Opcode Fuzzy Hash: 491923b985624419b869fd99ba8d53ee05ad7a4b418d2b4e23a66a19db910dea
    • Instruction Fuzzy Hash: 6EE14971A083558FC724DF2CD580AAAF7E1BBC8308F10493EE99997391D734E985CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071A590 Relevance: 91.4, APIs: 16, Strings: 36, Instructions: 394libraryfileloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 71a590-71a5e6 call 72c600 GetModuleHandleW 3 71a5e8-71a5f8 GetProcAddress 0->3 4 71a63d-71a8a1 0->4 7 71a612-71a622 GetProcAddress 3->7 8 71a5fa-71a610 3->8 5 71a9b0 4->5 6 71a8a7-71a8b2 call 734bfd 4->6 11 71a9b2-71a9d3 call 715eb3 call 71654f 5->11 6->5 16 71a8b8-71a8cd call 715eb3 6->16 7->4 10 71a624-71a639 7->10 8->7 10->4 23 71a9d5-71a9e1 call 715032 11->23 24 71a8d2-71a8ea CreateFileW 16->24 25 71a8cf 16->25 32 71a9e3-71a9f1 call 71a473 23->32 33 71aa18-71aa49 call 7114a3 call 7166d5 call 711770 call 714461 23->33 27 71a8f0-71a8fc SetFilePointer 24->27 28 71a99b-71a9ae CloseHandle call 711770 24->28 25->24 27->28 30 71a902-71a91c ReadFile 27->30 28->11 30->28 34 71a91e-71a929 30->34 32->33 45 71a9f3-71aa16 CompareStringW 32->45 64 71aa4e-71aa51 33->64 38 71ac07-71ac0c call 72c7bf 34->38 39 71a92f-71a962 call 7114a3 34->39 48 71a976-71a989 call 719b75 39->48 45->33 49 71aa53-71aa57 45->49 58 71a964-71a96b 48->58 59 71a98b-71a996 call 711770 * 2 48->59 49->23 53 71aa5d 49->53 56 71aa61-71aa65 53->56 60 71aa67 56->60 61 71aaab-71aaad 56->61 62 71a970-71a971 call 71a473 58->62 63 71a96d 58->63 59->28 68 71aa69-71aa9f call 7114a3 call 7166d5 call 711770 call 714461 60->68 65 71aab3-71aac6 call 7165bf call 715032 61->65 66 71abd2-71ac04 call 711770 * 2 call 72c3c4 61->66 62->48 63->62 64->49 70 71aa5f 64->70 85 71ab47-71ab7b call 71a2ad AllocConsole 65->85 86 71aac8-71ab45 call 71a473 * 2 call 717fca call 71a2ad call 717fca call 7114a3 call 725d7e call 711549 65->86 101 71aaa1-71aaa5 68->101 102 71aaa9 68->102 70->56 98 71abc2 85->98 99 71ab7d-71abbc GetCurrentProcessId AttachConsole call 71ac56 call 71ac4b GetStdHandle WriteConsoleW Sleep FreeConsole 85->99 103 71abc5-71abcc call 711549 ExitProcess 86->103 98->103 99->98 101->68 107 71aaa7 101->107 102->61 107->61
    APIs
    • GetModuleHandleW.KERNEL32(kernel32,D5FC40FB), ref: 0071A5DC
    • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0071A5EE
    • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 0071A618
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0071A8DF
    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0071A8F4
    • ReadFile.KERNEL32(00000000,?,00007FFE,?,00000000), ref: 0071A914
    • CloseHandle.KERNEL32(00000000), ref: 0071A99C
    • CompareStringW.KERNEL32(00000400,00001001,?,000000FF,DXGIDebug.dll,000000FF,?,?,?), ref: 0071AA0D
    • AllocConsole.KERNEL32 ref: 0071AB73
    • GetCurrentProcessId.KERNEL32 ref: 0071AB7D
    • AttachConsole.KERNEL32(00000000), ref: 0071AB84
    • GetStdHandle.KERNEL32(000000F4,00000000,00000000,?,00000000), ref: 0071ABA4
    • WriteConsoleW.KERNEL32(00000000), ref: 0071ABAB
    • Sleep.KERNEL32(00002710), ref: 0071ABB6
    • FreeConsole.KERNEL32 ref: 0071ABBC
    • ExitProcess.KERNEL32 ref: 0071ABCC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Console$FileHandle$AddressProcProcess$AllocAttachCloseCompareCreateCurrentExitFreeModulePointerReadSleepStringWrite
    • String ID: +t$ .t$$,t$(-t$4)t$4*t$8+t$<,t$<-t$<.t$DXGIDebug.dll$H*t$L)t$P+t$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$T,t$T-t$T.t$`*t$d)t$d,t$dwmapi.dll$kernel32$l+t$l-t$t.t$uxtheme.dll$x*t$|)t$(t$)t$+t$,t$-t
    • API String ID: 2644799563-619109046
    • Opcode ID: c06f63dba1da5ae712495ff4a95421abe56b4d54e23ed6a5d8099f22874b03f8
    • Instruction ID: c4b6f96ce3dfd8c76a3163a977759a44fbe615ecdfe96aa8b3e2b4163ff74b74
    • Opcode Fuzzy Hash: c06f63dba1da5ae712495ff4a95421abe56b4d54e23ed6a5d8099f22874b03f8
    • Instruction Fuzzy Hash: B1F194B140128CEBCB35DF68CC49BDD3BA8BF05314F904129F9095B292DB78569ACBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00727860 Relevance: 90.2, APIs: 43, Strings: 8, Instructions: 935windowfilesleepCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch_GS.LIBCMT ref: 0072786A
      • Part of subcall function 00711B78: GetDlgItem.USER32(00000000,00003021), ref: 00711BBC
      • Part of subcall function 00711B78: SetWindowTextW.USER32(00000000,00742668), ref: 00711BD2
    • EndDialog.USER32(?,00000000), ref: 00727978
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007279B7
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007279D1
    • IsDialogMessageW.USER32(?,?), ref: 007279E4
    • TranslateMessage.USER32(?), ref: 007279F2
    • DispatchMessageW.USER32(?), ref: 007279FC
    • EndDialog.USER32(?,00000001), ref: 00727A3E
    • GetDlgItem.USER32(?,00000068), ref: 00727A64
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00727A7F
    • SendMessageW.USER32(00000000,000000C2,00000000,00742668), ref: 00727A92
    • SetFocus.USER32(00000000), ref: 00727A99
    • GetLastError.KERNEL32(00000000,?), ref: 00727B80
    • GetLastError.KERNEL32(00000000,?), ref: 00727BAC
    • GetTickCount.KERNEL32 ref: 00727BD9
    • GetLastError.KERNEL32 ref: 00727C35
    • GetCommandLineW.KERNEL32 ref: 00727D59
    • _wcslen.LIBCMT ref: 00727D66
    • CreateFileMappingW.KERNEL32(000000FF,00000000,08000004,00000000,?,winrarsfxmappingfile.tmp,?,0076AB80,00000400,00000001,00000001), ref: 00727DE5
    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 00727E03
    • ShellExecuteExW.SHELL32(0000003C), ref: 00727E3C
    • WaitForInputIdle.USER32(?,00002710), ref: 00727E6B
    • Sleep.KERNEL32(00000064), ref: 00727E85
    • UnmapViewOfFile.KERNEL32(?,?,?,?,?,?,?,0076AB80,00000400), ref: 00727EC1
    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0076AB80,00000400), ref: 00727ECD
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 00727FD2
      • Part of subcall function 00711B53: GetDlgItem.USER32(?,?), ref: 00711B68
      • Part of subcall function 00711B53: ShowWindow.USER32(00000000), ref: 00711B6F
    • SetDlgItemTextW.USER32(?,00000065,00742668), ref: 00727FEA
    • GetDlgItem.USER32(?,00000065), ref: 00727FF3
    • GetWindowLongW.USER32(00000000,000000F0), ref: 00728002
    • DialogBoxParamW.USER32(LICENSEDLG,00000000,Function_00017630,00000000,?), ref: 00728382
    • EndDialog.USER32(?,00000001), ref: 00728396
    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00728011
      • Part of subcall function 00725335: __EH_prolog3_GS.LIBCMT ref: 0072533C
      • Part of subcall function 00725335: ShowWindow.USER32(?,00000000,00000038), ref: 00725364
      • Part of subcall function 00725335: GetWindowRect.USER32(?,?), ref: 007253A8
      • Part of subcall function 00725335: ShowWindow.USER32(?,00000005,?,00000000), ref: 00725443
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007280AF
    • SendMessageW.USER32(?,00000080,00000001,0001044F), ref: 007281E4
    • SendDlgItemMessageW.USER32(?,0000006C,00000172,00000000,00050E1A), ref: 007281FD
    • GetDlgItem.USER32(?,00000068), ref: 00728206
    • SendMessageW.USER32(00000000,00000435,00000000,00400000), ref: 0072821E
    • GetDlgItem.USER32(?,00000066), ref: 00728246
    • SetDlgItemTextW.USER32(?,0000006B,00000000), ref: 007282BD
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 007282D1
    • EnableWindow.USER32(?,00000000), ref: 00728507
    • SendMessageW.USER32(?,00000111,00000001,00000000), ref: 00728548
    • SetDlgItemTextW.USER32(?,00000001,00000000), ref: 0072856D
      • Part of subcall function 00728CAF: __EH_prolog3_GS.LIBCMT ref: 00728CB9
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Item$Message$TextWindow$Send$Dialog$ErrorFileLastShow$H_prolog3_LongView$CloseCommandCountCreateDispatchEnableExecuteFocusH_prolog3_catch_HandleIdleInputLineMappingParamRectShellSleepTickTranslateUnmapWait_wcslen
    • String ID: ,@t$-el -s2 "-d%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_$winrarsfxmappingfile.tmp
    • API String ID: 3616063595-1030301971
    • Opcode ID: b744e821772973a3fa2bd52056a559ad51a193794f7ade1f94273346de9ec988
    • Instruction ID: e39720e9860f96f8bfa7e89f2055330b47c074edafd9074a7ef2946d78bfb2cc
    • Opcode Fuzzy Hash: b744e821772973a3fa2bd52056a559ad51a193794f7ade1f94273346de9ec988
    • Instruction Fuzzy Hash: F172D670905358EEEB25EB64EC49FEE7B78AB11300F008059F106B61D2DBBC5A85CF26
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072A4D2 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106windowCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 007275D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007275E9
      • Part of subcall function 007275D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007275FA
      • Part of subcall function 007275D8: IsDialogMessageW.USER32(0001044A,?), ref: 0072760E
      • Part of subcall function 007275D8: TranslateMessage.USER32(?), ref: 0072761C
      • Part of subcall function 007275D8: DispatchMessageW.USER32(?), ref: 00727626
    • GetDlgItem.USER32(00000068,00000000), ref: 0072A4F5
    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,00726CE1,00000001,?,?), ref: 0072A51A
    • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 0072A529
    • SendMessageW.USER32(00000000,000000C2,00000000,00742668), ref: 0072A537
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0072A551
    • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 0072A56B
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0072A5AF
    • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 0072A5C2
    • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 0072A5D5
    • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 0072A5FC
    • SendMessageW.USER32(00000000,000000C2,00000000,00742690), ref: 0072A60B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
    • String ID: \
    • API String ID: 3569833718-2967466578
    • Opcode ID: db2432d4abf6f82785f5d6ed92f4f796032c71524389bfcc29770f3b84ac16ca
    • Instruction ID: d748e70e377cca7803d330d828275a5413fd9ad4553b2826f43fcce1110d1424
    • Opcode Fuzzy Hash: db2432d4abf6f82785f5d6ed92f4f796032c71524389bfcc29770f3b84ac16ca
    • Instruction Fuzzy Hash: 0D31F8F1145304BFE311EF24DC59F6BBBA8EF47314F408509F69296291D7B899048BAB
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072A800 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 291windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 865 72a800-72a81c call 72c468 868 72a822-72a828 865->868 869 72ab27-72ab34 call 711770 call 72c417 865->869 868->869 870 72a82e-72a854 call 72dc30 868->870 876 72a856 870->876 877 72a85d-72a869 870->877 876->877 879 72a86b 877->879 880 72a86d-72a876 877->880 879->880 881 72a884-72a887 880->881 882 72a878-72a87b 880->882 885 72a88b-72a895 881->885 886 72a889 881->886 883 72a87f-72a882 882->883 884 72a87d 882->884 883->885 884->883 887 72a89b-72a8a8 885->887 888 72a92e 885->888 886->885 889 72a8aa 887->889 890 72a8ac-72a8b6 887->890 891 72a931-72a933 888->891 889->890 892 72a8b8 890->892 893 72a8ec-72a8f9 890->893 894 72a935-72a93a 891->894 895 72a93c-72a93e 891->895 898 72a8cf-72a8d2 892->898 896 72a8fb 893->896 897 72a8fd-72a907 893->897 894->895 899 72a95f-72a971 call 715e3d 894->899 895->899 900 72a940-72a947 895->900 896->897 902 72ab37-72ab3d 897->902 903 72a90d-72a912 897->903 904 72a8d4 898->904 905 72a8ba-72a8bf 898->905 918 72a973-72a980 call 71bf3c 899->918 919 72a989-72a9c4 call 7114a3 call 71444f call 711770 899->919 900->899 906 72a949-72a955 900->906 907 72ab41-72ab48 902->907 908 72ab3f 902->908 910 72a916-72a91c 903->910 911 72a914 903->911 904->893 912 72a8c3-72a8cd 905->912 913 72a8c1 905->913 914 72a957 906->914 915 72a95c 906->915 916 72ab60-72ab66 907->916 917 72ab4a-72ab50 907->917 908->907 910->902 920 72a922-72a925 910->920 911->910 912->898 921 72a8d6-72a8db 912->921 913->912 914->915 915->899 925 72ab6a-72ab74 916->925 926 72ab68 916->926 922 72ab52 917->922 923 72ab54-72ab5d 917->923 918->919 933 72a982 918->933 938 72a9c6-72a9f5 call 7114a3 call 7158d4 call 711770 919->938 939 72a9fd-72aa0c ShellExecuteExW 919->939 920->887 927 72a92b 920->927 929 72a8df-72a8e9 921->929 930 72a8dd 921->930 922->923 923->916 925->891 926->925 927->888 929->893 930->929 933->919 973 72a9f7 938->973 974 72a9fa 938->974 941 72aa12-72aa1c 939->941 942 72aadc-72aae2 939->942 946 72aa2a-72aa2c 941->946 947 72aa1e-72aa20 941->947 944 72ab17-72ab23 942->944 945 72aae4-72aaf9 942->945 944->869 949 72aafb-72ab0b call 7116b3 945->949 950 72ab0e-72ab16 call 72c3b6 945->950 952 72aa45-72aa62 WaitForInputIdle call 72af00 946->952 953 72aa2e-72aa37 IsWindowVisible 946->953 947->946 951 72aa22-72aa28 947->951 949->950 950->944 951->946 958 72aa90-72aa9b FindCloseChangeNotification 951->958 952->958 966 72aa64-72aa66 952->966 953->952 959 72aa39-72aa43 ShowWindow 953->959 963 72aaac-72aab3 958->963 964 72aa9d-72aaaa call 71bf3c 958->964 959->952 969 72aab5-72aab7 963->969 970 72aacb-72aacd 963->970 964->963 964->970 966->958 972 72aa68-72aa77 GetExitCodeProcess 966->972 969->970 976 72aab9-72aabf 969->976 970->942 971 72aacf-72aad1 970->971 971->942 977 72aad3-72aad6 ShowWindow 971->977 972->958 978 72aa79-72aa82 972->978 973->974 974->939 976->970 979 72aac1 976->979 977->942 980 72aa84 978->980 981 72aa89 978->981 979->970 980->981 981->958
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0072A807
    • ShellExecuteExW.SHELL32(?), ref: 0072AA04
    • IsWindowVisible.USER32(?), ref: 0072AA2F
    • ShowWindow.USER32(?,00000000), ref: 0072AA3D
    • WaitForInputIdle.USER32(?,000007D0), ref: 0072AA4D
    • GetExitCodeProcess.KERNELBASE(?,?), ref: 0072AA6F
    • FindCloseChangeNotification.KERNELBASE(?), ref: 0072AA93
    • ShowWindow.USER32(?,00000001), ref: 0072AAD6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Window$Show$ChangeCloseCodeExecuteExitFindH_prolog3_IdleInputNotificationProcessShellVisibleWait
    • String ID: .exe$.inf
    • API String ID: 2125671723-3750412487
    • Opcode ID: 40caae55a658d39428fd5000b768c9b16964260ceb8cf6bd62ac78a169b174d6
    • Instruction ID: bf2faf4013678fdf0b04767e47425feb41f13daf679809047393b9672ba7a199
    • Opcode Fuzzy Hash: 40caae55a658d39428fd5000b768c9b16964260ceb8cf6bd62ac78a169b174d6
    • Instruction Fuzzy Hash: 7CB1C071E00269EFDF16DF64EA48BED77B5AF44300F148019E845A7251E77CAD86CB42
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071CEA4 Relevance: 15.5, APIs: 3, Strings: 5, Instructions: 1525COMMON
    Download Yara Rule
    APIs
    • __allrem.LIBCMT ref: 0071D739
      • Part of subcall function 0071CB19: _swprintf.LIBCMT ref: 0071CB52
    • __allrem.LIBCMT ref: 0071D7B1
    • _wcslen.LIBCMT ref: 0071DB92
      • Part of subcall function 0071C24D: __EH_prolog3_catch.LIBCMT ref: 0071C254
      • Part of subcall function 0071EE8E: __EH_prolog3_GS.LIBCMT ref: 0071EE98
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: __allrem$H_prolog3_H_prolog3_catch_swprintf_wcslen
    • String ID: AES-0017$z01$zip$zipx$zx01
    • API String ID: 538351651-1958518654
    • Opcode ID: 0de8c653d1d955d5a55d661dba51a7eece24c7851ac6cce7ff006ebf22ce282b
    • Instruction ID: ec5a62bcfcb542b2f8d9c4f72bfc1b65a446df0a2292fe81e933fc22e076c558
    • Opcode Fuzzy Hash: 0de8c653d1d955d5a55d661dba51a7eece24c7851ac6cce7ff006ebf22ce282b
    • Instruction Fuzzy Hash: CED28AB1900348EBDB25DF68D884AED7BB5FB09300F14816AE806A7291D7BC9EC5CF55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00729773 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 300COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1557 729773-7297a5 call 711fa4 1560 7297a7 1557->1560 1561 7297aa-7297b0 1557->1561 1560->1561 1562 7297b6-7297bb 1561->1562 1563 729a1d 1561->1563 1565 7297c0-7297ce 1562->1565 1566 7297bd 1562->1566 1564 729a1f-729a23 1563->1564 1567 729a25-729a28 1564->1567 1568 729a2e-729a32 1564->1568 1569 7297d0-7297dc 1565->1569 1570 7297f6 1565->1570 1566->1565 1572 729a57 1567->1572 1573 729a2a-729a2c 1567->1573 1568->1572 1574 729a34-729a37 1568->1574 1569->1570 1575 7297de 1569->1575 1571 7297f9-7297fc 1570->1571 1576 729802-729807 1571->1576 1577 729a17 1571->1577 1584 72a40d-72a413 call 7129a7 1572->1584 1578 729a3a-729a52 call 711fa4 call 72a800 1573->1578 1574->1572 1579 729a39 1574->1579 1580 7297e4-7297e8 1575->1580 1581 729809 1576->1581 1582 72980c-729837 call 7314de call 71180c 1576->1582 1577->1563 1578->1572 1579->1578 1585 729950-729952 1580->1585 1586 7297ee-7297f4 1580->1586 1581->1582 1582->1584 1601 72983d-729841 1582->1601 1595 72a3a3-72a3aa 1584->1595 1596 72a415-72a437 1584->1596 1585->1570 1589 729958-72995c 1585->1589 1586->1570 1586->1580 1589->1571 1599 72a3b1-72a3cd call 711770 call 72b29a 1595->1599 1617 72a3d0-72a3f4 call 711770 call 72726a 1596->1617 1623 72a439-72a44d 1596->1623 1599->1617 1604 729843 1601->1604 1605 729845-72984c 1601->1605 1604->1605 1608 729851-72988f call 71122c call 719c69 1605->1608 1609 72984e 1605->1609 1622 729895-729897 1608->1622 1609->1608 1642 72a3fa-72a40a call 711770 call 72c417 1617->1642 1643 728d1c-728d48 1617->1643 1625 729961-729967 1622->1625 1626 72989d-7298ff call 7114a3 call 71a251 call 711770 call 7114a3 call 71a251 call 711770 1622->1626 1648 72a457-72a460 1623->1648 1649 72a452 call 72c468 1623->1649 1631 729969-729984 1625->1631 1632 7299ae-7299c8 1625->1632 1708 729901-729903 1626->1708 1709 729904-729932 call 7114a3 call 71a251 call 711770 1626->1709 1638 729986-72999f call 7116b3 1631->1638 1639 7299a5-7299ad call 72c3b6 1631->1639 1635 7299ca-7299e5 1632->1635 1636 729a0f-729a15 1632->1636 1646 729a06-729a0e call 72c3b6 1635->1646 1647 7299e7-729a00 call 7116b3 1635->1647 1636->1564 1638->1639 1639->1632 1655 728d50-728d64 call 715712 1643->1655 1656 728d4a 1643->1656 1646->1636 1647->1646 1658 72a462 1648->1658 1659 72a464-72a474 call 715712 1648->1659 1649->1648 1674 728d66-728dbe call 711fd0 call 7157f6 call 711770 call 719adc 1655->1674 1675 728de5-728e4b call 719c69 1655->1675 1656->1655 1658->1659 1670 72a476-72a47c 1659->1670 1671 72a4ca-72a4cf call 72c417 1659->1671 1676 72a480-72a486 1670->1676 1677 72a47e 1670->1677 1674->1584 1722 728dc4-728dd7 1674->1722 1692 728e92-728ec5 call 7114a3 call 71a251 call 711770 1675->1692 1693 728e4d-728e78 call 726674 call 719c69 1675->1693 1683 72a493-72a4c5 call 715628 call 711170 call 7157f6 call 711770 * 2 1676->1683 1684 72a488-72a491 call 715e94 1676->1684 1677->1676 1683->1671 1684->1671 1684->1683 1728 728ed2-728ed5 1692->1728 1729 728ec7-728ecb 1692->1729 1716 728e7a-728e8c 1693->1716 1708->1709 1736 729937-72994b call 719c69 1709->1736 1737 729934-729936 1709->1737 1716->1692 1726 728dd9 1722->1726 1727 728ddf-728de1 1722->1727 1726->1727 1727->1675 1728->1599 1733 728edb 1728->1733 1729->1692 1732 728ecd 1729->1732 1732->1599 1733->1595 1736->1622 1737->1736
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _wcslen
    • String ID: <>t$HIDE$MAX$MIN
    • API String ID: 176396367-4029015526
    • Opcode ID: 9b11c574d4c83e5f46a0605206b8ec96f820b96cff281c4844b6a6425d681463
    • Instruction ID: afa738c4d1970e81c1b26adeeccd1f63440db855a1fe1c941cddad5bca523bda
    • Opcode Fuzzy Hash: 9b11c574d4c83e5f46a0605206b8ec96f820b96cff281c4844b6a6425d681463
    • Instruction Fuzzy Hash: CBB1D331D00268DBCF24EFA8DC88ADDB7B8BF45310F54015AE505B7282EB789A85CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071ACD0 Relevance: 9.1, APIs: 6, Instructions: 104timeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0071AD33
      • Part of subcall function 00715032: GetVersionExW.KERNEL32(?), ref: 00715063
    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0071AD57
    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0071AD71
    • TzSpecificLocalTimeToSystemTime.KERNELBASE(00000000,?,?), ref: 0071AD84
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0071AD94
    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0071ADA4
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Time$File$System$Local$SpecificVersion
    • String ID:
    • API String ID: 2092733347-0
    • Opcode ID: 9b9fff6040cd60de15a65d2ec13760c0e8379a0450b9491ce775303d251c88da
    • Instruction ID: d1c5f022989deafa66661973fab34c54322fafd7a127e0774dcbb9dd8495d84a
    • Opcode Fuzzy Hash: 9b9fff6040cd60de15a65d2ec13760c0e8379a0450b9491ce775303d251c88da
    • Instruction Fuzzy Hash: 5D413D791083059BC704DFA8D88499BB7F8FF98710F44891EF585C7260E734D545CBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072AF00 Relevance: 9.0, APIs: 6, Instructions: 42windowsynchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1797 72af00-72af19 WaitForSingleObject 1798 72af61-72af63 1797->1798 1799 72af1b-72af1c 1797->1799 1800 72af1e-72af2e PeekMessageW 1799->1800 1801 72af30-72af4b GetMessageW TranslateMessage DispatchMessageW 1800->1801 1802 72af51-72af5e WaitForSingleObject 1800->1802 1801->1802 1802->1800 1803 72af60 1802->1803 1803->1798
    APIs
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0072AF0C
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0072AF26
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0072AF37
    • TranslateMessage.USER32(?), ref: 0072AF41
    • DispatchMessageW.USER32(?), ref: 0072AF4B
    • WaitForSingleObject.KERNEL32(?,0000000A), ref: 0072AF56
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
    • String ID:
    • API String ID: 2148572870-0
    • Opcode ID: e5c017c56cd929fa1b2595f4d2b6c448b20dbd5aa115460f4684b22bd9b2dcb4
    • Instruction ID: 96d16056c403b85d7c5d85ab4f3ab298cc7227bad586e3240ec4946ecc823208
    • Opcode Fuzzy Hash: e5c017c56cd929fa1b2595f4d2b6c448b20dbd5aa115460f4684b22bd9b2dcb4
    • Instruction Fuzzy Hash: 6AF0A9B2A00229BBCF216BA1EC4CDEF7F2CEF42391B008021F60AD2051D67CC546CBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007293F3 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 216windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1804 7293f3-7293f7 1805 72a3b1 1804->1805 1806 7293fd-729404 1804->1806 1807 72a3b7-72a3cd call 711770 call 72b29a 1805->1807 1806->1805 1808 72940a-729426 call 711fa4 1806->1808 1822 72a3d0-72a3f4 call 711770 call 72726a 1807->1822 1814 729428-729435 1808->1814 1815 72949e 1808->1815 1818 729437 1814->1818 1819 729439-72943f 1814->1819 1816 7294a4-7294b2 1815->1816 1820 7294b6-7294ba 1816->1820 1821 7294b4 1816->1821 1818->1819 1819->1815 1823 729441-729446 1819->1823 1824 7294f3-7294f5 1820->1824 1825 7294bc-7294c1 1820->1825 1821->1820 1851 72a3fa-72a40a call 711770 call 72c417 1822->1851 1852 728d1c-728d48 1822->1852 1827 72944a-72944f 1823->1827 1828 729448 1823->1828 1830 7294f6-7294fb 1824->1830 1831 7294c3 1825->1831 1832 7294c5-7294cc 1825->1832 1827->1815 1829 729451-72949c call 711fd0 call 7157f6 call 711770 1827->1829 1828->1827 1829->1816 1835 7294ff-729502 1830->1835 1836 7294fd 1830->1836 1831->1832 1832->1830 1838 7294ce-7294d3 1832->1838 1840 7295ea-729626 call 7121d7 call 726e9b GetDlgItem call 711b39 1835->1840 1841 729508-729513 call 716360 1835->1841 1836->1835 1843 7294d7-7294e0 1838->1843 1844 7294d5 1838->1844 1880 729628 1840->1880 1881 72962d-729645 SendMessageW call 713eee 1840->1881 1841->1840 1865 729519-7295e5 call 7114a3 * 3 call 72713d call 711770 * 3 call 715866 call 71554f call 7157f6 call 711770 * 2 1841->1865 1845 7294e6-7294ee call 71677e 1843->1845 1846 7293cb-7293d0 call 711770 1843->1846 1844->1843 1845->1840 1846->1807 1863 728d50-728d64 call 715712 1852->1863 1864 728d4a 1852->1864 1877 728d66-728dbe call 711fd0 call 7157f6 call 711770 call 719adc 1863->1877 1878 728de5-728e4b call 719c69 1863->1878 1864->1863 1865->1840 1918 728dc4-728dd7 1877->1918 1919 72a40d-72a413 call 7129a7 1877->1919 1891 728e92-728ec5 call 7114a3 call 71a251 call 711770 1878->1891 1892 728e4d-728e78 call 726674 call 719c69 1878->1892 1880->1881 1893 72964a-72964c 1881->1893 1925 728ed2-728ed5 1891->1925 1926 728ec7-728ecb 1891->1926 1914 728e7a-728e8c 1892->1914 1898 729668 1893->1898 1899 72964e-729654 1893->1899 1898->1805 1904 729656 1899->1904 1905 729659-729662 SendMessageW 1899->1905 1904->1905 1905->1898 1914->1891 1922 728dd9 1918->1922 1923 728ddf-728de1 1918->1923 1933 72a3a3-72a3aa 1919->1933 1934 72a415-72a437 1919->1934 1922->1923 1923->1878 1925->1805 1930 728edb 1925->1930 1926->1891 1929 728ecd 1926->1929 1929->1805 1930->1933 1933->1805 1934->1822 1950 72a439-72a44d 1934->1950 1954 72a457-72a460 1950->1954 1955 72a452 call 72c468 1950->1955 1956 72a462 1954->1956 1957 72a464-72a474 call 715712 1954->1957 1955->1954 1956->1957 1960 72a476-72a47c 1957->1960 1961 72a4ca-72a4cf call 72c417 1957->1961 1962 72a480-72a486 1960->1962 1963 72a47e 1960->1963 1966 72a493-72a4c5 call 715628 call 711170 call 7157f6 call 711770 * 2 1962->1966 1967 72a488-72a491 call 715e94 1962->1967 1963->1962 1966->1961 1967->1961 1967->1966
    APIs
    • GetDlgItem.USER32(?,00000066), ref: 00729609
    • SendMessageW.USER32(00000000,00000143,00000000,0076AAD0), ref: 00729636
    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00729662
    • __EH_prolog3_GS.LIBCMT ref: 0072A452
    Strings
    • Software\Microsoft\Windows\CurrentVersion, xrefs: 00729554
    • ProgramFilesDir, xrefs: 00729540
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: MessageSend$H_prolog3_Item
    • String ID: ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
    • API String ID: 4098331016-2634093826
    • Opcode ID: 7816132e337d5516791d17de74e5df796a424ee85a3251e1f5aaf65a53fe2546
    • Instruction ID: 3438ea3e13b42fa7b9396bdfb47fcdb2528203975fd2fdb65f61c4737e10eff9
    • Opcode Fuzzy Hash: 7816132e337d5516791d17de74e5df796a424ee85a3251e1f5aaf65a53fe2546
    • Instruction Fuzzy Hash: ED81A131800268DBCF15EBE4D895FEEB778AF18300F54405AE646B7181EB785BC9CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00726357 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1979 726357-726380 GetClassNameW 1980 726382-726397 call 71bf3c 1979->1980 1981 7263a8-7263aa 1979->1981 1988 7263a7 1980->1988 1989 726399-7263a5 FindWindowExW 1980->1989 1982 7263b5-7263c1 call 72c3c4 1981->1982 1983 7263ac-7263ae 1981->1983 1983->1982 1988->1981 1989->1988
    APIs
    • GetClassNameW.USER32(?,?,00000050), ref: 00726378
    • SHAutoComplete.SHLWAPI(?,00000010), ref: 007263AF
      • Part of subcall function 0071BF3C: CompareStringW.KERNEL32(00000400,00001001,D5FC40FB,000000FF,?,000000FF,007153ED,0000002E,-00000002,00000000,?,00000000,?,00000008,?,?), ref: 0071BF52
    • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 0072639F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AutoClassCompareCompleteFindNameStringWindow
    • String ID: @Ut$EDIT
    • API String ID: 4243998846-2065656831
    • Opcode ID: 78810b168490038c0af8aa6a3e5524029164ff635e7721c9fb66e13e31684990
    • Instruction ID: db852a6066a0ba0e564be31083db9da7d45d91d087983d1908b01363b851edbb
    • Opcode Fuzzy Hash: 78810b168490038c0af8aa6a3e5524029164ff635e7721c9fb66e13e31684990
    • Instruction Fuzzy Hash: 74F0A431601328BBDB21DB649D05FAE77BC9F46710F004065FA41E7181D7B8EE058AA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072655D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34comCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
      • Part of subcall function 0071A473: __EH_prolog3_GS.LIBCMT ref: 0071A47A
      • Part of subcall function 0071A473: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0071A4AF
    • OleInitialize.OLE32(00000000), ref: 00726576
    • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 007265AD
    • SHGetMalloc.SHELL32(0076AA78), ref: 007265B7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: DirectoryGdiplusH_prolog3_InitializeMallocStartupSystem
    • String ID: riched20.dll$3Po
    • API String ID: 2446841611-3847370236
    • Opcode ID: de81607aedb32886d11399bc6e1b30ab0b6fe0236da9fce2a1b710a3d1a3778d
    • Instruction ID: 1b4c758d5252b5b3d23fd2a37a3be5be44f78537c4b2690768f8040c24f1598f
    • Opcode Fuzzy Hash: de81607aedb32886d11399bc6e1b30ab0b6fe0236da9fce2a1b710a3d1a3778d
    • Instruction Fuzzy Hash: 81F049B1900249EBCB10AFA9DD499EFFBFCEF95700F00801AE856A2241C7B85605CFA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713650 Relevance: 7.7, APIs: 5, Instructions: 183filetimeCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1994 713650-713699 1995 7136a4 1994->1995 1996 71369b-71369e 1994->1996 1998 7136a6-7136b6 1995->1998 1996->1995 1997 7136a0-7136a2 1996->1997 1997->1998 1999 7136b8 1998->1999 2000 7136be-7136c8 1998->2000 1999->2000 2001 7136ca 2000->2001 2002 7136cd-7136fa 2000->2002 2001->2002 2003 713702-713708 2002->2003 2004 7136fc 2002->2004 2005 71370a 2003->2005 2006 71370c-713724 CreateFileW 2003->2006 2004->2003 2005->2006 2007 7137e6 2006->2007 2008 71372a-71375a GetLastError call 7160a8 2006->2008 2010 7137e9-7137ec 2007->2010 2014 71375c-713763 2008->2014 2015 71378e 2008->2015 2012 7137fa-7137fe 2010->2012 2013 7137ee-7137f1 2010->2013 2017 713800-713803 2012->2017 2018 71381f-713830 2012->2018 2013->2012 2016 7137f3 2013->2016 2019 713765 2014->2019 2020 713768-713788 CreateFileW GetLastError 2014->2020 2022 713791-71379b 2015->2022 2016->2012 2017->2018 2021 713805-71381c SetFileTime 2017->2021 2023 713832-713840 call 7121d7 2018->2023 2024 713844-71386a call 711770 call 72c3c4 2018->2024 2019->2020 2020->2015 2025 71378a-71378c 2020->2025 2021->2018 2026 7137d0-7137e4 2022->2026 2027 71379d-7137b2 2022->2027 2023->2024 2025->2022 2026->2010 2030 7137b4-7137c4 call 7116b3 2027->2030 2031 7137c7-7137cf call 72c3b6 2027->2031 2030->2031 2031->2026
    APIs
    • CreateFileW.KERNELBASE(00000000,?,?,00000000,00000003,08000000,00000000,D5FC40FB,?,00000000,?,?,?,00000000,0073FCB8,000000FF), ref: 00713718
    • GetLastError.KERNEL32(?,?,00000000,0073FCB8,000000FF), ref: 0071372A
    • CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,?,?,00000000,0073FCB8,000000FF), ref: 00713776
    • GetLastError.KERNEL32(?,?,00000000,0073FCB8,000000FF), ref: 0071377F
    • SetFileTime.KERNEL32(00000000,00000000,?,00000000,?,?,00000000,0073FCB8,000000FF), ref: 00713816
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: File$CreateErrorLast$Time
    • String ID:
    • API String ID: 1999340476-0
    • Opcode ID: 90becdfee05475ab20827ee45e9586435791460121da05ab75686bbe83fbc9ae
    • Instruction ID: b2b2bf4172e3d8e384de0bd430e7060392078355b06a0404f7b0ed0952a6dc2f
    • Opcode Fuzzy Hash: 90becdfee05475ab20827ee45e9586435791460121da05ab75686bbe83fbc9ae
    • Instruction Fuzzy Hash: EB61AFB4904249AFDB14CF68C985BEE7BA4FF04324F20421AF915973D1D7789A84CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007275D8 Relevance: 7.5, APIs: 5, Instructions: 38windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2040 7275d8-7275f1 PeekMessageW 2041 7275f3-727607 GetMessageW 2040->2041 2042 72762c-72762e 2040->2042 2043 727618-727626 TranslateMessage DispatchMessageW 2041->2043 2044 727609-727616 IsDialogMessageW 2041->2044 2043->2042 2044->2042 2044->2043
    APIs
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007275E9
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007275FA
    • IsDialogMessageW.USER32(0001044A,?), ref: 0072760E
    • TranslateMessage.USER32(?), ref: 0072761C
    • DispatchMessageW.USER32(?), ref: 00727626
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Message$DialogDispatchPeekTranslate
    • String ID:
    • API String ID: 1266772231-0
    • Opcode ID: df96f33839a9e6a5aea12de7d4a9cf603c4b86af10c3c369295d0ab281847550
    • Instruction ID: 299967850b15fb3e037a664e6f7323928351bcafa64ba9360da70586b0f32067
    • Opcode Fuzzy Hash: df96f33839a9e6a5aea12de7d4a9cf603c4b86af10c3c369295d0ab281847550
    • Instruction Fuzzy Hash: EAF0B7B290222AABCB24ABF6AD4CDEB7F7CEE052907408415F546D3050E6BCD505CAB5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007217B1 Relevance: 6.3, APIs: 4, Instructions: 313COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2045 7217b1-7217dc 2046 721882-7218a1 call 72cb00 2045->2046 2047 7217e2 2045->2047 2052 7218a7-7218dc call 713cf0 2046->2052 2053 72197c-72198c 2046->2053 2048 7217e4-7217e6 2047->2048 2049 7217ec-721833 call 71f9d1 2047->2049 2048->2046 2048->2049 2066 721aa6 2049->2066 2067 721839-72183b 2049->2067 2079 7218de-72190f call 71f9d1 2052->2079 2055 72198e-7219c4 call 72c510 2053->2055 2063 7219ca-7219cc 2055->2063 2064 721aae-721ab4 2055->2064 2063->2066 2068 7219d2-721a35 call 71f9d1 2063->2068 2065 721aba-721ae4 call 71f5b7 2064->2065 2077 721ae6-721ae8 2065->2077 2078 721aea-721b8f call 71f464 * 4 call 71f43f * 2 call 71f464 call 721515 2065->2078 2069 721aa8-721aa9 2066->2069 2067->2066 2071 721841-72184c 2067->2071 2097 721aa2-721aa4 2068->2097 2098 721a37-721a39 2068->2098 2073 721bb5-721bc7 call 72c3c4 2069->2073 2075 721859-721861 2071->2075 2081 721863 2075->2081 2082 72184e-721856 call 71ec47 2075->2082 2077->2069 2078->2073 2134 721b91-721baf 2078->2134 2079->2066 2096 721915-72191b 2079->2096 2081->2066 2093 721868-72187d 2082->2093 2094 721858 2082->2094 2093->2065 2094->2075 2096->2066 2100 721921-72192c 2096->2100 2097->2064 2097->2066 2098->2097 2101 721a3b-721a47 2098->2101 2103 721939-721941 2100->2103 2106 721a54-721a5c 2101->2106 2104 721943 2103->2104 2105 72192e-721936 call 71ec47 2103->2105 2108 721965-72197a call 733da0 2104->2108 2118 721945-721961 2105->2118 2119 721938 2105->2119 2109 721a49-721a51 call 71ec47 2106->2109 2110 721a5e 2106->2110 2108->2055 2125 721a53 2109->2125 2126 721a60-721a7b 2109->2126 2115 721a7c-721a9c call 733da0 2110->2115 2115->2063 2115->2097 2118->2108 2119->2103 2125->2106 2126->2115 2134->2073
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _strncpy$Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
    • String ID:
    • API String ID: 2527496121-0
    • Opcode ID: 591f5b862415c08786b0c81e9e9004b2580f776ddda8e5a9fe6c4d6c8ec0e6f4
    • Instruction ID: cd82419d59acccdee3d16dab10cd7f06403b1add745c6a7d1c3f85cad526862f
    • Opcode Fuzzy Hash: 591f5b862415c08786b0c81e9e9004b2580f776ddda8e5a9fe6c4d6c8ec0e6f4
    • Instruction Fuzzy Hash: C6B1A3B1505310AFC704DF28EC85A2A77F5FBA8310F15852EE546A3361E7BCA9448F9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713D88 Relevance: 6.1, APIs: 4, Instructions: 117fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00713D8F
    • GetStdHandle.KERNEL32(000000F5,0000002C,0071F3B8,?,?,?,?,?,0071FBCE,0075A6BC,?,00720570,00010000), ref: 00713DB8
    • WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 00713DFE
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FileH_prolog3_HandleWrite
    • String ID:
    • API String ID: 2898186245-0
    • Opcode ID: 483b2ae5b0756c11ccf8e3c7161c2a0ec1dcfbff93e31a00c35bb1f5b2c0c734
    • Instruction ID: e8d9ba686ea170246dd710f5c353ee240fe16d073ef14431d76067e997cd7acc
    • Opcode Fuzzy Hash: 483b2ae5b0756c11ccf8e3c7161c2a0ec1dcfbff93e31a00c35bb1f5b2c0c734
    • Instruction Fuzzy Hash: 4141B034B01244ABDF14DF68E884BED7B76BF95700F044129F841AB2D1CB799E89CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714740 Relevance: 6.1, APIs: 4, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00714747
    • CreateDirectoryW.KERNELBASE(?,00000000,?,00000024,007142E9,?,00000001,00000000,?,?,?,?,?,00000024), ref: 00714770
    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,?,00000024,007142E9,?,00000001,00000000,?,?), ref: 007147C6
    • GetLastError.KERNEL32(?,?,00000024,007142E9,?,00000001,00000000,?,?,?,?,?,00000024), ref: 00714834
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CreateDirectory$ErrorH_prolog3_Last
    • String ID:
    • API String ID: 3709856315-0
    • Opcode ID: 52fe3e209e7b35cb2904d309b1a9220fb29fe90cda44d62141507a385ee3382e
    • Instruction ID: f1b87afcdd808405a19cc7b12576662186562890caa2c29799b6511344569b0a
    • Opcode Fuzzy Hash: 52fe3e209e7b35cb2904d309b1a9220fb29fe90cda44d62141507a385ee3382e
    • Instruction Fuzzy Hash: 6331C174900259DBDF10EFECD888AEEBBF8AF49310F14442AE500E72D1D7389A80CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713509 Relevance: 6.1, APIs: 4, Instructions: 56fileCOMMON
    Download Yara Rule
    APIs
    • GetStdHandle.KERNEL32(000000F6), ref: 00713519
    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00713531
    • GetLastError.KERNEL32 ref: 00713563
    • GetLastError.KERNEL32 ref: 00713582
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorLast$FileHandleRead
    • String ID:
    • API String ID: 2244327787-0
    • Opcode ID: 9bb2d962f574f6a95cefd04baaf1b523cc124cc02122669e19fd4e3533691868
    • Instruction ID: 2978e11e5678f2f51c9fe784068ddb13c2fc8af37de52102945937bbf080beac
    • Opcode Fuzzy Hash: 9bb2d962f574f6a95cefd04baaf1b523cc124cc02122669e19fd4e3533691868
    • Instruction Fuzzy Hash: 7A117335500204EBDF205F38C8085ED3BAAAB06B61F508A2AF526851E0D779DFE1DB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071338A Relevance: 4.6, APIs: 3, Instructions: 115fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00713391
    • CreateFileW.KERNELBASE(?,?,?,00000000,00000002,00000000,00000000,?,?,?,?,?,00000024), ref: 00713405
    • CreateFileW.KERNEL32(?,?,?,00000000,00000002,00000000,00000000,?,?,?,?,?,?,?,00000024), ref: 00713455
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CreateFile$H_prolog3_
    • String ID:
    • API String ID: 1771569470-0
    • Opcode ID: 6dde5d15c7adc23ad3129446b0d809f2f091aaced5f6f3885500b17a64046a75
    • Instruction ID: ff66a5452c945b0c056d429ecacebc4880696fbc66fd174ffd13b184d845265a
    • Opcode Fuzzy Hash: 6dde5d15c7adc23ad3129446b0d809f2f091aaced5f6f3885500b17a64046a75
    • Instruction Fuzzy Hash: 6E416471D10248DFDF14DFA8D889BEEB7B4BB08320F10461EE551E62D1D7789A84CB25
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071A473 Relevance: 4.6, APIs: 3, Instructions: 90libraryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0071A47A
    • GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0071A4AF
    • LoadLibraryW.KERNELBASE(00000000,?,?,00000000,00000000,?), ref: 0071A521
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: DirectoryH_prolog3_LibraryLoadSystem
    • String ID:
    • API String ID: 1552931673-0
    • Opcode ID: 1deae1a6caeb04475fc6a1654079e944ec8f80488c1699a7107732ad0a75850d
    • Instruction ID: 007766ea4f8c875f33a52713855a37ce18023b9659d6f8ed9d32fbece04e37b1
    • Opcode Fuzzy Hash: 1deae1a6caeb04475fc6a1654079e944ec8f80488c1699a7107732ad0a75850d
    • Instruction Fuzzy Hash: 60318175D04248EBCB01DFE8D889BEEBBB9AF44714F10411DE505BB282DB785A84CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714A2F Relevance: 4.6, APIs: 3, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00714A36
    • SetFileAttributesW.KERNELBASE(?,00000000,00000024,00714830,?,?,?,?,?,?,00000024,007142E9,?,00000001,00000000,?), ref: 00714A4C
    • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000024), ref: 00714A8F
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AttributesFile$H_prolog3_
    • String ID:
    • API String ID: 2559025557-0
    • Opcode ID: acfaafc6e3786c247007298abbf937f2dd51c5fa5a7b30ffe258f630a647c281
    • Instruction ID: 5bf82be0b2413cac89a97c1a157ef6271b8cdd97633f86a78da99fae4732fcfb
    • Opcode Fuzzy Hash: acfaafc6e3786c247007298abbf937f2dd51c5fa5a7b30ffe258f630a647c281
    • Instruction Fuzzy Hash: 4A113D71940219DBDF05DFA8E9459DEB7B8EF08311F14802AF540F7251D738DA94CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007143A5 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 007143AC
    • DeleteFileW.KERNELBASE(000000FF,00000024,00713503,?,?,007132FA,?,?,D5FC40FB,?,?,0073FC52,000000FF), ref: 007143BF
    • DeleteFileW.KERNEL32(?,000000FF,?,?,007132FA,?,?,D5FC40FB,?,?,0073FC52,000000FF), ref: 007143FF
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: DeleteFile$H_prolog3_
    • String ID:
    • API String ID: 3558260747-0
    • Opcode ID: 5054b58ac1d7334940a56989a6ad8a50784bc07c3614b3e80640703562a47a12
    • Instruction ID: de418dd485bd6c07b1104fee24c5e2f71ce3b670eb5b7083262837e6627b6362
    • Opcode Fuzzy Hash: 5054b58ac1d7334940a56989a6ad8a50784bc07c3614b3e80640703562a47a12
    • Instruction Fuzzy Hash: D7111971900259DBDF04DFA8E849ADEB7B8AF08710F54402AF900F7291DB389A84CB79
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714461 Relevance: 4.6, APIs: 3, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00714468
    • GetFileAttributesW.KERNELBASE(?,00000024,00714458,?,0071478C,?,?,00000024,007142E9,?,00000001,00000000,?,?), ref: 0071447B
    • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00000024), ref: 007144BB
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AttributesFile$H_prolog3_
    • String ID:
    • API String ID: 2559025557-0
    • Opcode ID: 0e982a679df275da4a01d7e62b5b9d5991af9d988ba3006e1c4a9a274a0d3b12
    • Instruction ID: 307b62425749b09a0c6f48b671bb165392058805021f14f9a41fc8a1ac885891
    • Opcode Fuzzy Hash: 0e982a679df275da4a01d7e62b5b9d5991af9d988ba3006e1c4a9a274a0d3b12
    • Instruction Fuzzy Hash: E5111C71D102589BCF14DFACD889ADDBBF5AB08321F14452AF804F3391D7389A85CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071386D Relevance: 3.1, APIs: 2, Instructions: 140COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 007139F7
    • GetLastError.KERNEL32 ref: 00713A06
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: cafe24fac43712b95966343923ea522aa20b99ba7952ae81748a55e7b458d63e
    • Instruction ID: 5efc798d2f01485479ab5a4b8acded1ec72af635f12f495a2763885a327f9763
    • Opcode Fuzzy Hash: cafe24fac43712b95966343923ea522aa20b99ba7952ae81748a55e7b458d63e
    • Instruction Fuzzy Hash: 7D41D331608345DBD7249F68C4846EAB7E5FB49324F14492EE88687281D7FCFEC58BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713C12 Relevance: 3.1, APIs: 2, Instructions: 83timeCOMMON
    Download Yara Rule
    APIs
    • FlushFileBuffers.KERNEL32(?), ref: 00713C2C
    • SetFileTime.KERNELBASE(?,?,?,?), ref: 00713CE0
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: File$BuffersFlushTime
    • String ID:
    • API String ID: 1392018926-0
    • Opcode ID: 239af07ad6cfe681145f6705b3185d3082dddb15e0d5d9b1180ed897816ee329
    • Instruction ID: 15fbc0a9d73aee183f2a5889d31ae1a83f20dade302d597c8388e9c5771199e4
    • Opcode Fuzzy Hash: 239af07ad6cfe681145f6705b3185d3082dddb15e0d5d9b1180ed897816ee329
    • Instruction Fuzzy Hash: 9021CE31248346ABCB14CF29C895AEABBE4AF55704F04481DF495931D1D32DEA8DC7B2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713CF0 Relevance: 3.1, APIs: 2, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000001), ref: 00713D37
    • GetLastError.KERNEL32 ref: 00713D44
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorFileLastPointer
    • String ID:
    • API String ID: 2976181284-0
    • Opcode ID: e3f244cfc25cd7e3aa342f334d219a403264821525e730b1c273d14b50e35e09
    • Instruction ID: 7a4c1592a97b7c28115570a285d46fc5b85b1512cffef6ad2ac6ecefbef3db9b
    • Opcode Fuzzy Hash: e3f244cfc25cd7e3aa342f334d219a403264821525e730b1c273d14b50e35e09
    • Instruction Fuzzy Hash: 8F11E531700600ABE734962CE844BE677E8AB45371F604A29E492D25E1D778EEC6C760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00711A16 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00711A1D
    • GetDlgItem.USER32(?,?), ref: 00711A35
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_Item_wcslen
    • String ID:
    • API String ID: 896027972-0
    • Opcode ID: 1001af3b19b10b70f053b34cee1655afbac8ead0795c09fbde8efc4251452b16
    • Instruction ID: be1f5364c6dbe13f74924a91d587b9199048dc6f7540001ca1473974dcd6446e
    • Opcode Fuzzy Hash: 1001af3b19b10b70f053b34cee1655afbac8ead0795c09fbde8efc4251452b16
    • Instruction Fuzzy Hash: 4201D870A41304DED711EF6CC85ABEDBBF8AF54740F804119F6419B2D1C7B89985C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007265C3 Relevance: 3.0, APIs: 2, Instructions: 31comCOMMON
    Download Yara Rule
    APIs
    • GdiplusShutdown.GDIPLUS(?,?,?,?,0074086E,000000FF), ref: 00726601
    • OleUninitialize.OLE32(?,?,?,?,0074086E,000000FF), ref: 00726606
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: GdiplusShutdownUninitialize
    • String ID:
    • API String ID: 3856339756-0
    • Opcode ID: db14597abbe8e6d3bfce9f90d68da6fb138fa57e2f37bcf527365af809c58d44
    • Instruction ID: 3530ab96809b0a3ac299342edd43480c2873dcbd09722c6f1ce5314001100414
    • Opcode Fuzzy Hash: db14597abbe8e6d3bfce9f90d68da6fb138fa57e2f37bcf527365af809c58d44
    • Instruction Fuzzy Hash: 4FF0827A604614EFD701DB59ED05B4ABBA8FB4AB30F008627F416D3760DB78A840CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00726D92 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_catch_wcslen
    • String ID:
    • API String ID: 1260878687-0
    • Opcode ID: 7543c17cd5de54c8a2fcd819c950e05bc2e4b215d59b076b525ae1aaccfe5e09
    • Instruction ID: 659f6d99dbc18683fab2f3f84ba48f2f01adb8d42f98e5d4917b0f902647cbbd
    • Opcode Fuzzy Hash: 7543c17cd5de54c8a2fcd819c950e05bc2e4b215d59b076b525ae1aaccfe5e09
    • Instruction Fuzzy Hash: C7F0FE7290012DDADB01FFA4E906AEF7BB8AF14310F204066F604B6141DA395B418BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00725919 Relevance: 3.0, APIs: 2, Instructions: 23windowCOMMON
    Download Yara Rule
    APIs
    • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0072593A
    • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00725941
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: BitmapCreateFromGdipStream
    • String ID:
    • API String ID: 1918208029-0
    • Opcode ID: 201af013e939e9d10508547f94d796f0b4a366cf2109d6028c5262b96d095e1c
    • Instruction ID: 4bee2b7fd4ed8e319755bb5872d9a5c165ca2198fabd8c6530de97cb59735258
    • Opcode Fuzzy Hash: 201af013e939e9d10508547f94d796f0b4a366cf2109d6028c5262b96d095e1c
    • Instruction Fuzzy Hash: DFE0EDB1500228EBCB11DF54D54579DB7F8EB04720F20845AA885A3201E278AE44DF92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00711B53 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ItemShowWindow
    • String ID:
    • API String ID: 3351165006-0
    • Opcode ID: dbc4470dfd4fb8d55c564fc64dc29abb13c145361d51f0797fa1c8ba5887e13a
    • Instruction ID: c3227d07d5748b1b5da0e3bac7c8b9b515ad08452ee244abded39505700ac240
    • Opcode Fuzzy Hash: dbc4470dfd4fb8d55c564fc64dc29abb13c145361d51f0797fa1c8ba5887e13a
    • Instruction Fuzzy Hash: 69C012B2058244BECB021BB4DC09C3EBBA8ABA6212F10C908F1E6C1061D23CC014DB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071F0DE Relevance: 1.7, APIs: 1, Instructions: 218COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID:
    • API String ID: 2427045233-0
    • Opcode ID: d9a0a7a8b799c69fa7474d0f3ecac326fcf3565f067aa2465e00462129868c35
    • Instruction ID: 6accb1a18bd661349b885f3caf7cb7e9e86fa0136a40880b9a2ba4af037c5309
    • Opcode Fuzzy Hash: d9a0a7a8b799c69fa7474d0f3ecac326fcf3565f067aa2465e00462129868c35
    • Instruction Fuzzy Hash: 3B719171900219EBDB15DFACD889AEEBBB9EF08310F188525E411F7291DB7CD9808F65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00721380 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00721387
      • Part of subcall function 00721D76: __EH_prolog3_GS.LIBCMT ref: 00721D7D
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID:
    • API String ID: 2427045233-0
    • Opcode ID: 85a7837150f90711682eccdb1d3d198fd5add1fab15ebdc0e84db3c889e121b9
    • Instruction ID: fc2e34900b63d26a6a2dba868cb7575e17974fa8a7c683b857e64c84f40f5cfa
    • Opcode Fuzzy Hash: 85a7837150f90711682eccdb1d3d198fd5add1fab15ebdc0e84db3c889e121b9
    • Instruction Fuzzy Hash: 8D414F70D00258DBCB20EFE9D8856DCBBB5FF59310FA4806ED10AA7292DB784985CF11
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071F7FA Relevance: 1.6, APIs: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: __allrem
    • String ID:
    • API String ID: 2933888876-0
    • Opcode ID: 17ef88479d0c752830f982fcaa1ffbb12c2b1898ae70127e489ff35fa9e2a4c2
    • Instruction ID: 51336afb102f01440df8707cff199583bb1ddc3fca12b1345c8b31af49f9b050
    • Opcode Fuzzy Hash: 17ef88479d0c752830f982fcaa1ffbb12c2b1898ae70127e489ff35fa9e2a4c2
    • Instruction Fuzzy Hash: 0E319275601310AFC705DF1CEC94A6937A5FB98710B19812AE903E73B1D7BCAC418F9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714235 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID:
    • API String ID: 2427045233-0
    • Opcode ID: 920c3ae73198126ab2173a58ebe2963ff073b02b43a2b559a0121044333ebc20
    • Instruction ID: 569f0ee1367e0caa081c2fab4095e04f992d49f6dd1d6653ffc83eb4c7ef6b6f
    • Opcode Fuzzy Hash: 920c3ae73198126ab2173a58ebe2963ff073b02b43a2b559a0121044333ebc20
    • Instruction Fuzzy Hash: 4321AE70600204EADF20EA68884AAEE73E9BF53B80F500518F881AB1C1D73C9EC9C660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071F4EE Relevance: 1.6, APIs: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0071F4F5
      • Part of subcall function 00714C75: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,0071FA7D,0076B1E4,-00000070,00000000), ref: 00714C9D
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CloseFindH_prolog3_
    • String ID:
    • API String ID: 2672038326-0
    • Opcode ID: 80ee9b0d10397637b782d723ce10c1d563d3c96080e3df177ab54dc5549175ce
    • Instruction ID: 3a09c5666db9ddd104a4256e3d4c9b0bf755bf39981471e7048bd9a121081240
    • Opcode Fuzzy Hash: 80ee9b0d10397637b782d723ce10c1d563d3c96080e3df177ab54dc5549175ce
    • Instruction Fuzzy Hash: DD215BB0E05254DADF14EFACA8496EDBBB2BF08700F20413EE406A7392DB7849558F55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071B85D Relevance: 1.6, APIs: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID:
    • API String ID: 2427045233-0
    • Opcode ID: c3b4e3046c6b86994b142cf4ec7c619e07b302e3f0c6ab77ee04365742b8f3bf
    • Instruction ID: b9c2b84e31f5a55be614b72dee3f7cf29325d7c6b2f4bc82ff29e1d4cb7c3925
    • Opcode Fuzzy Hash: c3b4e3046c6b86994b142cf4ec7c619e07b302e3f0c6ab77ee04365742b8f3bf
    • Instruction Fuzzy Hash: 7E2187B1D04218DFDB08EFA4E989EDE7BB9BF44300F140019F101E7291D7399A95CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00739819 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 007384D6: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0073681A,00000001,00000364,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E), ref: 00738517
    • _free.LIBCMT ref: 00739885
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AllocateHeap_free
    • String ID:
    • API String ID: 614378929-0
    • Opcode ID: cad4fd7691973b889dac81a4565274e961a8517fcde5adeb8a615647a0e82bc5
    • Instruction ID: 01c399cba3216f38df54c2129d75da3abe030251512c42865a5ec3d1a07ea0f3
    • Opcode Fuzzy Hash: cad4fd7691973b889dac81a4565274e961a8517fcde5adeb8a615647a0e82bc5
    • Instruction Fuzzy Hash: 74012673200345ABF7218F65D88599AFBD8FBC6370F25062DE68483281EA74A805C674
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007384D6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0073681A,00000001,00000364,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E), ref: 00738517
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: d377959355b4ba50b145bb7ccd2c2919b4b65014a4db8193c65c79f40c30fbae
    • Instruction ID: 0329d0f888b0b08dee5a12da3ce8366cb499c5c48b389ab2a37f13429dc42a66
    • Opcode Fuzzy Hash: d377959355b4ba50b145bb7ccd2c2919b4b65014a4db8193c65c79f40c30fbae
    • Instruction Fuzzy Hash: 34F0B432644325A7FF615B22DC05B9B3748EF81760F298012F814D6093DF78DD1186E7
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00736B6E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RtlAllocateHeap.NTDLL(00000000,0072C17E,?,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E,?,?,?,?), ref: 00736BA0
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AllocateHeap
    • String ID:
    • API String ID: 1279760036-0
    • Opcode ID: 441d1eeec0667092c6dc8e4eda060fb8c177f21c3a62405690aa0dd3add20ca3
    • Instruction ID: 41b6c1689eb38a6c653bd3ff8aa244f50f0a3da453640d25cc2b23c4d0545127
    • Opcode Fuzzy Hash: 441d1eeec0667092c6dc8e4eda060fb8c177f21c3a62405690aa0dd3add20ca3
    • Instruction Fuzzy Hash: B8E065B5244221B7FA213765DC09B5BBA88DF427A0F3AC121EC55D7093DB6DDC0089E4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713340 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
    Download Yara Rule
    APIs
    • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00713301,?,?,D5FC40FB,?,?,0073FC52,000000FF), ref: 0071335B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: 8c358b6b6545c04eea392fe42a8fc3326f97fb1a4a6e4ff2fcd90fa2248ff3c0
    • Instruction ID: d7a47173106a2788cc5eba7a1f868f3736172ec2e9a463fc263984fc1af49c68
    • Opcode Fuzzy Hash: 8c358b6b6545c04eea392fe42a8fc3326f97fb1a4a6e4ff2fcd90fa2248ff3c0
    • Instruction Fuzzy Hash: BAF0A0B0445B01CFEB308B2CD8083D277E46B12370F044B1EE0F2824E0CB68ABDADA54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714C75 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00714D8A: __EH_prolog3_GS.LIBCMT ref: 00714D94
      • Part of subcall function 00714D8A: FindFirstFileW.KERNELBASE(?,-00000278,00000274,00714C97,000000FF,?,?,?,?,0071FA7D,0076B1E4,-00000070,00000000), ref: 00714DBD
      • Part of subcall function 00714D8A: FindFirstFileW.KERNELBASE(-00000028,-00000278,?,-00000028,?,?,?,?,?,?,?,?,?,?,0072114C,00000000), ref: 00714E08
      • Part of subcall function 00714D8A: GetLastError.KERNEL32(?,-00000028,?,?,?,?,?,?,?,?,?,?,0072114C,00000000), ref: 00714E66
    • FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,0071FA7D,0076B1E4,-00000070,00000000), ref: 00714C9D
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Find$FileFirst$CloseErrorH_prolog3_Last
    • String ID:
    • API String ID: 765066492-0
    • Opcode ID: 2fd2b7481c2ec115965241f401906147b3a138c35345d2013766473568ccb08c
    • Instruction ID: 97fbf362f288ce7dd9c25fa8efdc08e01f39db4be3ce33ebedad936c1e96b849
    • Opcode Fuzzy Hash: 2fd2b7481c2ec115965241f401906147b3a138c35345d2013766473568ccb08c
    • Instruction Fuzzy Hash: BCF08235009790EACF215FAC5909ADB7BE06F16330F144B09F0E9026E2C638D4959B62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00723F16 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00723F1D
      • Part of subcall function 00713650: CreateFileW.KERNELBASE(00000000,?,?,00000000,00000003,08000000,00000000,D5FC40FB,?,00000000,?,?,?,00000000,0073FCB8,000000FF), ref: 00713718
      • Part of subcall function 00713650: GetLastError.KERNEL32(?,?,00000000,0073FCB8,000000FF), ref: 0071372A
      • Part of subcall function 00713650: CreateFileW.KERNEL32(?,?,?,00000000,00000003,08000000,00000000,?,?,?,?,00000000,0073FCB8,000000FF), ref: 00713776
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CreateFile$ErrorH_prolog3_Last
    • String ID:
    • API String ID: 4294874049-0
    • Opcode ID: 56da200d6962b5c3d6b2fa6b3764e7321ac65d7299cf3420466e38d490ce9dbe
    • Instruction ID: 1bfde746dfce1c8bc056e639091659831fefda63c710ed6943343eb614d1335a
    • Opcode Fuzzy Hash: 56da200d6962b5c3d6b2fa6b3764e7321ac65d7299cf3420466e38d490ce9dbe
    • Instruction Fuzzy Hash: 3CE0A57181026CEACF00FB94DD9AAEE7739BF15744F144019BA096B191DA78AF49CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00725BD6 Relevance: 1.5, APIs: 1, Instructions: 16memoryCOMMON
    Download Yara Rule
    APIs
    • GdipAlloc.GDIPLUS(00000010), ref: 00725BDC
      • Part of subcall function 00725919: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 0072593A
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Gdip$AllocBitmapCreateFromStream
    • String ID:
    • API String ID: 1915507550-0
    • Opcode ID: 478f8b8c81deb0fc53abe9f08a4f22149e6ab8492a042acd5b5e01f701b0f814
    • Instruction ID: 28d32cce8eac9b4b195ab2332db43faf118531130292af629318fd5222f0fb0e
    • Opcode Fuzzy Hash: 478f8b8c81deb0fc53abe9f08a4f22149e6ab8492a042acd5b5e01f701b0f814
    • Instruction Fuzzy Hash: D6D0A970200629FADF026B20AC06A6E7A98AB00380F00C021B84285181EEB9DE10A6A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B00B Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
    Download Yara Rule
    APIs
    • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,00000000,0071B82D), ref: 0072B030
      • Part of subcall function 007275D8: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 007275E9
      • Part of subcall function 007275D8: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007275FA
      • Part of subcall function 007275D8: IsDialogMessageW.USER32(0001044A,?), ref: 0072760E
      • Part of subcall function 007275D8: TranslateMessage.USER32(?), ref: 0072761C
      • Part of subcall function 007275D8: DispatchMessageW.USER32(?), ref: 00727626
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Message$DialogDispatchItemPeekSendTranslate
    • String ID:
    • API String ID: 897784432-0
    • Opcode ID: 4c627cbb4591c36a88c42ab5347ec258884d8232ab8cfc465ebd58cec69b7061
    • Instruction ID: c0dd217c86d7a39db95b8af6abd33fe5bc1fd1aad9ec74e113d17badc9bed228
    • Opcode Fuzzy Hash: 4c627cbb4591c36a88c42ab5347ec258884d8232ab8cfc465ebd58cec69b7061
    • Instruction Fuzzy Hash: 36D09E71164300BAE6022B51DE0AF1ABAA2BB88F04F404554B345740F1C6A69D319B06
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 0b68a6a79e009959eb6ceef7967d56b732b7fb6e10b486de30d90cc040d4cb5c
    • Instruction ID: 63b7437108002bac5e5cd6e2f47f132570884c36f8182be965ed57053ef2efd0
    • Opcode Fuzzy Hash: 0b68a6a79e009959eb6ceef7967d56b732b7fb6e10b486de30d90cc040d4cb5c
    • Instruction Fuzzy Hash: 89B012D6359051EC314961183D17C36138CC0C1B10370842BF941C0141D74C4C801031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7E5 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 340241fc1e17bc5c9d7df71a2c7db57b07cbc6716e89a4310f8f3960cbeaa1e0
    • Instruction ID: fab3ba75141db5e71650f9a6343c71098413c474300dbc0529066c15c2215016
    • Opcode Fuzzy Hash: 340241fc1e17bc5c9d7df71a2c7db57b07cbc6716e89a4310f8f3960cbeaa1e0
    • Instruction Fuzzy Hash: 86B012D235B051AC314951087E07C36174CC1C0B10770442BF445C0141D74D0C411031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7D1 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 43cb7f6f6bef0fd0e98a1463959a1ce98be2827cf1b3c4eeaf058dcc5f5794d0
    • Instruction ID: 7e88f6388d383ee8ed91e6da83263bf1284ce4955765a1d3b5457527928567b9
    • Opcode Fuzzy Hash: 43cb7f6f6bef0fd0e98a1463959a1ce98be2827cf1b3c4eeaf058dcc5f5794d0
    • Instruction Fuzzy Hash: C0B012D235A061AC314961087D17C36134CC1C1B10770852BF845C0141D74C0C401031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7DB Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: ca86c2d00872cae963b3ffe18e1b1c3a1e386da908547331af74390263a36a85
    • Instruction ID: 52ca5a3894e4144536e4c8e8b9e9e1a8ef4b2666664cefe4746e4c8a49c86d4f
    • Opcode Fuzzy Hash: ca86c2d00872cae963b3ffe18e1b1c3a1e386da908547331af74390263a36a85
    • Instruction Fuzzy Hash: 1DB012E235A151AD318952087D07C36134CC1C0B10770452BF445C0141D74C0C801031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7C7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: bb9108e61ec6235b619590104b67e7e1e574bc33d8d5a2e4cf5a54e4ec5dc15f
    • Instruction ID: 2896aa8096a9d8bfab1acb7d80e468d121bb80185b7a1f170e51d1511a3e2cd8
    • Opcode Fuzzy Hash: bb9108e61ec6235b619590104b67e7e1e574bc33d8d5a2e4cf5a54e4ec5dc15f
    • Instruction Fuzzy Hash: 05B012E2359091AC3149510D3D07C36134CC0C0B10370842BF441C4141E74C0C441031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7B3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: ee6ce84e00e7eed249bc699b0270f36e2ea7096af18d59ee2bd25822358bb7bb
    • Instruction ID: 2642e8afc3c74ea34d594a9dbfa420dbc6cad702bd08c63a6acd95a4c0ce7c56
    • Opcode Fuzzy Hash: ee6ce84e00e7eed249bc699b0270f36e2ea7096af18d59ee2bd25822358bb7bb
    • Instruction Fuzzy Hash: EFB012E2359151AD3189510C3D07C36134CC0C0B10370852BF441C4141E74C0C841031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7BD Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: f338fc9818d86966b17ebaf81ddf38cb5b52f8b31dfa3bd25ebddef418c46ee6
    • Instruction ID: 5c44129f51412755dbae662b1747bb38c246eb2bbca37cbb5a0f9164d54e4767
    • Opcode Fuzzy Hash: f338fc9818d86966b17ebaf81ddf38cb5b52f8b31dfa3bd25ebddef418c46ee6
    • Instruction Fuzzy Hash: 89B012E2359051AC3149510C3E07C36134CC0C0B10370842BF441C4141E74C0D451031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7A9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: e4b0572ff54e0625a52e467e9b083c8cc8f2ffdd49dccd0d9ea852c665620a72
    • Instruction ID: 2c5a1ed21c194f891efe7c67eb5aaf29ba3d29602239d20be16851415e5fce24
    • Opcode Fuzzy Hash: e4b0572ff54e0625a52e467e9b083c8cc8f2ffdd49dccd0d9ea852c665620a72
    • Instruction Fuzzy Hash: 39B012E2359051AC3149610C3D17C36134CC0C1B10370C42BF841C4141E74C0C481031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B79F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: d90d4bbff24311ddd69d84ea3090914926dde1b6cf72c300900a074466537564
    • Instruction ID: ad42cea088e8e035d09884ba1fbe5b49d58501c3f712ff73fb916f2841749b6d
    • Opcode Fuzzy Hash: d90d4bbff24311ddd69d84ea3090914926dde1b6cf72c300900a074466537564
    • Instruction Fuzzy Hash: B4B012D2359091AC3149514C3D07C36134CC0C0B103B0882BF541C0241D74C0C441031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B784 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: cbd5f868a1571c995a5e1147a205e40736948717d98e61f789c09a43a3558e48
    • Instruction ID: 23fcad19e3ffb6c951215e4ebaf6ce44e0392e1c7c80b173fe2f25c562c2c95e
    • Opcode Fuzzy Hash: cbd5f868a1571c995a5e1147a205e40736948717d98e61f789c09a43a3558e48
    • Instruction Fuzzy Hash: CAB012D2359059BC310921083E17C36130CC0C1B103B0C52BF951D0141974C0C441032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B853 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 4cfd350311bb7cb7bc252a8dcc5460d69600fe22c4e5094f507782cb14860cb8
    • Instruction ID: a56f5ea6713fde71daed5e89edabef8e53637d312b9f89b6df188379eadf7de3
    • Opcode Fuzzy Hash: 4cfd350311bb7cb7bc252a8dcc5460d69600fe22c4e5094f507782cb14860cb8
    • Instruction Fuzzy Hash: 1EB012D235D151AD318951087D07C36134CC0C0B10370452BF481C0141DB4C0C801031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B849 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: b321f43e70de8460ad7f36cbade81817b8ab48db7fd29e394db9c928ac375c88
    • Instruction ID: 3c3533107556b05f32b6098a422097bc4eefd945a0c7d17c2b761564acd5811e
    • Opcode Fuzzy Hash: b321f43e70de8460ad7f36cbade81817b8ab48db7fd29e394db9c928ac375c88
    • Instruction Fuzzy Hash: 33B012D2359051AC314961083D17C36135CC0C1B10370842BF841C0141DB4C0C401032
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B835 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 604700e405eb08861b15b9564a560bf5ab9a7a821db29f1abc58b2ef7e5fad1d
    • Instruction ID: ae8934b6736a251f8109abacf66336ead863fedf07313bcac0eebf9bd95f2dcd
    • Opcode Fuzzy Hash: 604700e405eb08861b15b9564a560bf5ab9a7a821db29f1abc58b2ef7e5fad1d
    • Instruction Fuzzy Hash: 16B012D2359051AC315A51087E07C36134CC0C0F10370442BF441C0541D74C0C411031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B83F Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: e10b65a6e5419652795b0cd4e6f6bba0d1d8cf5b9eb5a5370e51e9fa48bcbb5a
    • Instruction ID: e1cff0a12b1d4622b228d62ae2abd90bfad4794735071857510701c39cec3201
    • Opcode Fuzzy Hash: e10b65a6e5419652795b0cd4e6f6bba0d1d8cf5b9eb5a5370e51e9fa48bcbb5a
    • Instruction Fuzzy Hash: 6CB012D2359091AC315A51083D07C36134CC0C0B10370482BF441C0581D74C0C401031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B821 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 10f7b1ac9340870e19cb4c90cd2da20a94ea572f2a75abb2d90aa00cf2d7a9d3
    • Instruction ID: c21194edb3d6284b249b62717b0e4dec7916ac37c946acfd8de0ae0e2f917958
    • Opcode Fuzzy Hash: 10f7b1ac9340870e19cb4c90cd2da20a94ea572f2a75abb2d90aa00cf2d7a9d3
    • Instruction Fuzzy Hash: C5B012D2359051AC315A61083D17C36134CC0C1B10370843BF841C0541D74C0C401031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B817 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 24c4c7d66ca6c2357071a3a9dd4dc57e68b386616d798b78f1501133d8c95db8
    • Instruction ID: 66658664e4547312fd354ad0b6e01600364c44aaae6cbb44c370bc65698687e1
    • Opcode Fuzzy Hash: 24c4c7d66ca6c2357071a3a9dd4dc57e68b386616d798b78f1501133d8c95db8
    • Instruction Fuzzy Hash: 6EB012E7359095EC314951083D17C36138CC0C0B10370452BF441C0141D74C0C801031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B803 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 55e6012191936cb0009a296fb82c120b5b4eae9bad950c1afec2e5e586ab8328
    • Instruction ID: 8ee5cecb271732fdfbb0f5dc8ace8fe2788a4eeee3fc590f536e5c7ef680e63f
    • Opcode Fuzzy Hash: 55e6012191936cb0009a296fb82c120b5b4eae9bad950c1afec2e5e586ab8328
    • Instruction Fuzzy Hash: FFB012D7359151ED318951083D07C36138CC0C0B10370452BF441C0141D74C0CC01031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B80D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 28f7a0b5f521548db833d8bb51d7e9b6bac779e3ad9f9de4663c503a03ea9c8e
    • Instruction ID: 48069ec00985d52008c8b59b2e5dfdcd67070d17f30d7d6c4f668161adde64b6
    • Opcode Fuzzy Hash: 28f7a0b5f521548db833d8bb51d7e9b6bac779e3ad9f9de4663c503a03ea9c8e
    • Instruction Fuzzy Hash: A4B012E6359051EC314951083E07C3613CCC0C0B10770442BF441C0141D74C0C811031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9E0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: ce4d50281712cae479ce8e57439ef00d503fc022bffdd1a5d9d8ca583d9ea9c4
    • Instruction ID: c0e0f379d0fdce5420ab654c7ce2431c76724c31b5da54c1c9f593e4a3e61b2b
    • Opcode Fuzzy Hash: ce4d50281712cae479ce8e57439ef00d503fc022bffdd1a5d9d8ca583d9ea9c4
    • Instruction Fuzzy Hash: A7B012E236D021EC3145A1083C0AC3B031CC0C0B10370C03AF981C4040DB4C3C880531
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9D6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: af2b66460bbfd65996cc037e97551c8eb07e6b109a6a257648b9ef3f8bf79eff
    • Instruction ID: 64ec4bd0c996d48c7636f3ea7a2df7186c819975ca66b0de2a22a79f856a84ee
    • Opcode Fuzzy Hash: af2b66460bbfd65996cc037e97551c8eb07e6b109a6a257648b9ef3f8bf79eff
    • Instruction Fuzzy Hash: FFB012D236D061ED314591043D0AD3E031CC0C0B143B0843AF781C0040DB4C3C840531
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BA08 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: c36123af2274bcbdab53f7bce9033a8ccf623f717f6ed8f569c69433ec0d7fe8
    • Instruction ID: 32bb40760b760c31ed8faa82b4b9dd78a744f8a87c9ce33ad7998c8463f4f57b
    • Opcode Fuzzy Hash: c36123af2274bcbdab53f7bce9033a8ccf623f717f6ed8f569c69433ec0d7fe8
    • Instruction Fuzzy Hash: D4B012E236D021FC314591483D0AC3B031CC0C0B10370C03AF681C4040DB4D3C850531
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BACA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 538562cc428fa4d23e7fe17cb17df508be1a1cfa4bfe1852570c86fa6b203c9f
    • Instruction ID: 1dfdf52afc008f14fbfb258c5822ad5421cecf90bc6bc9f5e34e13a59bdd0788
    • Opcode Fuzzy Hash: 538562cc428fa4d23e7fe17cb17df508be1a1cfa4bfe1852570c86fa6b203c9f
    • Instruction Fuzzy Hash: D1B012D236A212EC374551193C06C3A237CC0C4F103B0C22BF541C0040D74C2C446131
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BAAC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: e11f26b838954f132edce2ef8772628ebb80baf9d265409b90c9a043d739b07b
    • Instruction ID: 66e76f5953b12493dd7ce5a4931ff7d73aa972a611a4657aa4f86986cc6bd38b
    • Opcode Fuzzy Hash: e11f26b838954f132edce2ef8772628ebb80baf9d265409b90c9a043d739b07b
    • Instruction Fuzzy Hash: 4BB012D236A012FC324951587D07C3A137CC0C4B103F0C22AF641C0040D74C2C012431
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BA91 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: c6d9014f7dd8453563ec1d28bfe9c5efa227c45e3431396a1cad63ee2028cac0
    • Instruction ID: 87b3ae81a0c6ac9efb483f73ca44a8714643c4bf12aeaef3de179f2476c84193
    • Opcode Fuzzy Hash: c6d9014f7dd8453563ec1d28bfe9c5efa227c45e3431396a1cad63ee2028cac0
    • Instruction Fuzzy Hash: 5EB012D236A112FC320961147C07C3A133CC0C4B103B0C52AF941C0040D74C2C002031
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071665E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • SetCurrentDirectoryW.KERNELBASE(?), ref: 0071666B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CurrentDirectory
    • String ID:
    • API String ID: 1611563598-0
    • Opcode ID: b6a5d158cc80a976b2a6a5cb6553c9aa92cf8abe88904eb1ca599754c54b403a
    • Instruction ID: d7ab13f6fb4099e6d92cc562c82a41c85e419743714f46023c50afd0be36a3d1
    • Opcode Fuzzy Hash: b6a5d158cc80a976b2a6a5cb6553c9aa92cf8abe88904eb1ca599754c54b403a
    • Instruction Fuzzy Hash: 72C04870205200DFC704CF6AEA8CE0A77EABF92B06B41C469F400CB172D738D8A1DA29
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B7F4 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a99b36cf1878e8373859777cb35a3381b1c2352d5a2f2692175147231dfdadf9
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: a99b36cf1878e8373859777cb35a3381b1c2352d5a2f2692175147231dfdadf9
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B876 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 2806f27901a8b5bdd3a0356a6fbdd034b1c8a646e6163ec50cce9053cd7dde52
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: 2806f27901a8b5bdd3a0356a6fbdd034b1c8a646e6163ec50cce9053cd7dde52
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B862 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 0d31e55a54d8ec28d89d6617f57f43ea4b120a0dce6a360419837696d5a4c6dd
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: 0d31e55a54d8ec28d89d6617f57f43ea4b120a0dce6a360419837696d5a4c6dd
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B86C Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 57a339568fe6a379f0d88ee2b9465bb18116ae63023ec1c52b2e2400aadcc6ba
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: 57a339568fe6a379f0d88ee2b9465bb18116ae63023ec1c52b2e2400aadcc6ba
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B830 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 81b82821a5d8106bf78260854a2b12e48e30c7cd385d07dec3244b3e05c80a1d
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: 81b82821a5d8106bf78260854a2b12e48e30c7cd385d07dec3244b3e05c80a1d
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B880 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 991ec35b5577e4e1b05e3fcba90de2cac7e0985dfa0c07cf3a60a76f4b1a8f70
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: 991ec35b5577e4e1b05e3fcba90de2cac7e0985dfa0c07cf3a60a76f4b1a8f70
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B88A Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B796
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a356ea13e4b734a9cf54d5a97945cf9ce4144748c1b39d277b827a6806309c9f
    • Instruction ID: b5f4a6d485c13c37074325e01cc8addfcbd55ca07c3981e33bbee930f2a68832
    • Opcode Fuzzy Hash: a356ea13e4b734a9cf54d5a97945cf9ce4144748c1b39d277b827a6806309c9f
    • Instruction Fuzzy Hash: E0A011E22AA0A2BC300822003E0BC3A030CC0C0B203B0880AF00280080AB8808802030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9F9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 057e736e5b026f18515a158738afc39677a113c149446ecb2bbe64c8883c2a42
    • Instruction ID: f9bf7f0a3040e2086eacff1497a91a72e871b38f6e2c266da81ce1b5b9d11e0a
    • Opcode Fuzzy Hash: 057e736e5b026f18515a158738afc39677a113c149446ecb2bbe64c8883c2a42
    • Instruction Fuzzy Hash: 6CA001E66AE162FC7549A2517D0AC7A432CC4C4BA13B0896AF69284481AB8938955931
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9EF Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 98c7ae122e425135052f00010c0fef120f3b8aeb11f4d735bf704bdcb60a7c39
    • Instruction ID: f9bf7f0a3040e2086eacff1497a91a72e871b38f6e2c266da81ce1b5b9d11e0a
    • Opcode Fuzzy Hash: 98c7ae122e425135052f00010c0fef120f3b8aeb11f4d735bf704bdcb60a7c39
    • Instruction Fuzzy Hash: 6CA001E66AE162FC7549A2517D0AC7A432CC4C4BA13B0896AF69284481AB8938955931
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9D1 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: d81e7e43e7ccaeac124a34d6f89836666d26d015549250b848d201a10236d54e
    • Instruction ID: f9bf7f0a3040e2086eacff1497a91a72e871b38f6e2c266da81ce1b5b9d11e0a
    • Opcode Fuzzy Hash: d81e7e43e7ccaeac124a34d6f89836666d26d015549250b848d201a10236d54e
    • Instruction Fuzzy Hash: 6CA001E66AE162FC7549A2517D0AC7A432CC4C4BA13B0896AF69284481AB8938955931
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9C7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: fc5f5297ddddbefae0696568fdf2a03373bf168f1e23bbd2f20a2ecbe6ff08f0
    • Instruction ID: f9bf7f0a3040e2086eacff1497a91a72e871b38f6e2c266da81ce1b5b9d11e0a
    • Opcode Fuzzy Hash: fc5f5297ddddbefae0696568fdf2a03373bf168f1e23bbd2f20a2ecbe6ff08f0
    • Instruction Fuzzy Hash: 6CA001E66AE162FC7549A2517D0AC7A432CC4C4BA13B0896AF69284481AB8938955931
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B9AC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 3d18e12d4b8642843617f4a9437ba5c1791057473d675195f531a210da2ac086
    • Instruction ID: f8697d92b2cd7ac56e3225a699ae9ea2d670dcd534da5c5f48a7edbada3db474
    • Opcode Fuzzy Hash: 3d18e12d4b8642843617f4a9437ba5c1791057473d675195f531a210da2ac086
    • Instruction Fuzzy Hash: DDA001E66AA162BC7949A2517D4AC7A432CC4C0B613B0856AFA9194481AB8938955931
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BA03 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072B9B9
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 19809299fedb39a07d068dae7d48bc4a01b51988d898c23372db78004703e474
    • Instruction ID: f9bf7f0a3040e2086eacff1497a91a72e871b38f6e2c266da81ce1b5b9d11e0a
    • Opcode Fuzzy Hash: 19809299fedb39a07d068dae7d48bc4a01b51988d898c23372db78004703e474
    • Instruction Fuzzy Hash: 6CA001E66AE162FC7549A2517D0AC7A432CC4C4BA13B0896AF69284481AB8938955931
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BAE3 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 0aef5c999c0498951c8aee1b9e963838bc01c22643a57ae48a4e31b8cc3a45ea
    • Instruction ID: 6b49eb94dcb93922d2d0cb346bfffb6d8d90ec90fbe5582e9fc751aa1a5551e4
    • Opcode Fuzzy Hash: 0aef5c999c0498951c8aee1b9e963838bc01c22643a57ae48a4e31b8cc3a45ea
    • Instruction Fuzzy Hash: 98A011E22AA023BC320822203C0AC3A033CC0C8B203B0C80AF20280080EB8828002030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BAED Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: e446de5f670f59f9ecbb910077169a302a14bc25f82c4c2b948c45f959721fbd
    • Instruction ID: 6b49eb94dcb93922d2d0cb346bfffb6d8d90ec90fbe5582e9fc751aa1a5551e4
    • Opcode Fuzzy Hash: e446de5f670f59f9ecbb910077169a302a14bc25f82c4c2b948c45f959721fbd
    • Instruction Fuzzy Hash: 98A011E22AA023BC320822203C0AC3A033CC0C8B203B0C80AF20280080EB8828002030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BAD9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: aad69495228a45948ba7c2eb04a52997a78f05cd44d43b3afdf3966360374249
    • Instruction ID: 6b49eb94dcb93922d2d0cb346bfffb6d8d90ec90fbe5582e9fc751aa1a5551e4
    • Opcode Fuzzy Hash: aad69495228a45948ba7c2eb04a52997a78f05cd44d43b3afdf3966360374249
    • Instruction Fuzzy Hash: 98A011E22AA023BC320822203C0AC3A033CC0C8B203B0C80AF20280080EB8828002030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BAC5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 6272d635a5f59a14c2c544bb972b1aeb5e630ec7b584a2f56fb348a9eb6acb31
    • Instruction ID: 6b49eb94dcb93922d2d0cb346bfffb6d8d90ec90fbe5582e9fc751aa1a5551e4
    • Opcode Fuzzy Hash: 6272d635a5f59a14c2c544bb972b1aeb5e630ec7b584a2f56fb348a9eb6acb31
    • Instruction Fuzzy Hash: 98A011E22AA023BC320822203C0AC3A033CC0C8B203B0C80AF20280080EB8828002030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BABB Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAA3
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: 90e8958a5da8869f8846ea2635897b98f4b8e857ce739b19e41c76f7b729d32a
    • Instruction ID: 6b49eb94dcb93922d2d0cb346bfffb6d8d90ec90fbe5582e9fc751aa1a5551e4
    • Opcode Fuzzy Hash: 90e8958a5da8869f8846ea2635897b98f4b8e857ce739b19e41c76f7b729d32a
    • Instruction Fuzzy Hash: 98A011E22AA023BC320822203C0AC3A033CC0C8B203B0C80AF20280080EB8828002030
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00711B1B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
    Download Yara Rule
    APIs
    • SetDlgItemTextW.USER32(?,?,?), ref: 00711B30
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ItemText
    • String ID:
    • API String ID: 3367045223-0
    • Opcode ID: 93bcecbeefd04b6daeca1a831d35cb242925cc4427599a3e5f7eea7104fe0146
    • Instruction ID: 4b938cd73092c2ba26685cba2908db370ba807ea15bc923d184a0e52c4fb7356
    • Opcode Fuzzy Hash: 93bcecbeefd04b6daeca1a831d35cb242925cc4427599a3e5f7eea7104fe0146
    • Instruction Fuzzy Hash: 73C01270008200EFCB05CF08E848D1ABBA2FB92311B00C458F094CA031D330D864CB26
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BAF2 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072BAFA
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadSectionWrite$AcquireExceptionHelper2@8LoadRaiseRelease___delay
    • String ID:
    • API String ID: 697777088-0
    • Opcode ID: a8dfb01f2b872e10e192ab123d6521751d92173a48d4ca51e3b08b37f51eb1ac
    • Instruction ID: 8138945572fd125a3f13daa77f4d4ed3a22948c9edf90175d8378471a799a8b9
    • Opcode Fuzzy Hash: a8dfb01f2b872e10e192ab123d6521751d92173a48d4ca51e3b08b37f51eb1ac
    • Instruction Fuzzy Hash: 97A002E77EB152BC714962517D0BC7F432CC4C5F217B0855EF590C4481AB883D954431
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00711B39 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
    Download Yara Rule
    APIs
    • SetWindowTextW.USER32(?,?), ref: 00711B4A
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: TextWindow
    • String ID:
    • API String ID: 530164218-0
    • Opcode ID: 8a33d58c056ed6e2de945f22f88cb14c0e0cea4b21b0b69f7ff1ce7a7618d021
    • Instruction ID: bd87873daf351afcb1b6f6a29d8b104e88526bc082a85e9b704c5c56bffcec4a
    • Opcode Fuzzy Hash: 8a33d58c056ed6e2de945f22f88cb14c0e0cea4b21b0b69f7ff1ce7a7618d021
    • Instruction Fuzzy Hash: E9C04C70104201EFC745DF08D988C16BBA5FB91341B41C468F0858B431D734D894CB25
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00713D79 Relevance: 1.5, APIs: 1, Instructions: 5fileCOMMON
    Download Yara Rule
    APIs
    • SetEndOfFile.KERNELBASE(?,0071E8D6), ref: 00713D7C
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: File
    • String ID:
    • API String ID: 749574446-0
    • Opcode ID: 746ffe9fbbcc5d74829077998db03ccb70f65b4430fe946a7d3622725ad5d2f4
    • Instruction ID: 8542cca628ca608348d25ccadd56b2ea29a61426d2bc9e2843482bb37b18449c
    • Opcode Fuzzy Hash: 746ffe9fbbcc5d74829077998db03ccb70f65b4430fe946a7d3622725ad5d2f4
    • Instruction Fuzzy Hash: 9AA001346011058B9B161B21DE09A097AAAAE4669579980AAA50988072DB2A8CA3EA15
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00728590 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 275windowfileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0072859A
      • Part of subcall function 00711B78: GetDlgItem.USER32(00000000,00003021), ref: 00711BBC
      • Part of subcall function 00711B78: SetWindowTextW.USER32(00000000,00742668), ref: 00711BD2
    • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 0072861B
    • EndDialog.USER32(?,00000006), ref: 0072862E
    • GetDlgItem.USER32(?,0000006C), ref: 0072864A
    • SetFocus.USER32(00000000), ref: 00728651
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
      • Part of subcall function 00711B1B: SetDlgItemTextW.USER32(?,?,?), ref: 00711B30
    • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 007286C3
    • FindFirstFileW.KERNEL32(?,?), ref: 007286E3
    • FindClose.KERNEL32(00000000,?,00000000,00000000,00000000,00000099,?,?,00000000), ref: 00728786
    • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 0072880D
      • Part of subcall function 00711170: _wcslen.LIBCMT ref: 0071117B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Item$MessageSend$FindText_wcslen$CloseDialogFileFirstFocusH_prolog3_Window
    • String ID: %s %s$REPLACEFILEDLG
    • API String ID: 485132379-439456425
    • Opcode ID: 3b81e1db7fb96b2defa300788d6ec38896c34c756e2d77557f23f1444aba0711
    • Instruction ID: 2e9ffa4bbc4a3b2e53b841cc27e2849cff0e7e5d0311184a3d013358878e10c4
    • Opcode Fuzzy Hash: 3b81e1db7fb96b2defa300788d6ec38896c34c756e2d77557f23f1444aba0711
    • Instruction Fuzzy Hash: D8A1BF71901228EAEB21EB64DD4EFEE777CAF15700F404095F60AA61C2DB796F84CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0073AEFE Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: __floor_pentium4
    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
    • API String ID: 4168288129-2761157908
    • Opcode ID: 13d80dfb2e4b0e971d86a7eaeca2c30be889764eeed32e021bae983e22b02abd
    • Instruction ID: 717baacda62612948b38826ab4f997024821d5958c740514a9fe411decef8bfd
    • Opcode Fuzzy Hash: 13d80dfb2e4b0e971d86a7eaeca2c30be889764eeed32e021bae983e22b02abd
    • Instruction Fuzzy Hash: 0AC24F71E086298FEB25CF28DD447EAB7B5EB44305F1441EAD54DE7242E778AE818F40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072D242 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0072D24E
    • IsDebuggerPresent.KERNEL32 ref: 0072D31A
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0072D33A
    • UnhandledExceptionFilter.KERNEL32(?), ref: 0072D344
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
    • String ID:
    • API String ID: 254469556-0
    • Opcode ID: f11d94383c2b78f9f1fa3ad20b20060a4db5521d588e3c66e26ff7a8d5105af3
    • Instruction ID: b2f8febeccfc46ae520e419ef51bd10e64c48c9980199563d81d04b519d31406
    • Opcode Fuzzy Hash: f11d94383c2b78f9f1fa3ad20b20060a4db5521d588e3c66e26ff7a8d5105af3
    • Instruction Fuzzy Hash: 3B312975D0522CDBDB20DFA4D9897CCBBB8BF18300F1040AAE50DAB250EB749A85CF05
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00712E6F Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32 ref: 00712E73
    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00712E94
    • _wcslen.LIBCMT ref: 00712EA3
    • LocalFree.KERNEL32(?), ref: 00712EB6
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorFormatFreeLastLocalMessage_wcslen
    • String ID:
    • API String ID: 991192900-0
    • Opcode ID: 8d0874c33c7812dfdd66abcddba79624584323d8d16512759e2f59e46d015d7d
    • Instruction ID: bafa8d53003292c25045a85a8913a9576eafeb35df9bbef32f42309b3b5ec975
    • Opcode Fuzzy Hash: 8d0874c33c7812dfdd66abcddba79624584323d8d16512759e2f59e46d015d7d
    • Instruction Fuzzy Hash: D1F08279610204FBEB049BA5AD09DFF77AC9F85740B10C059FA01A61A2CB789E62D678
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BC1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • VirtualQuery.KERNEL32(80000000,0072BB62,0000001C,0072BD57,00000000,?,?,?,?,?,?,?,0072BB62,00000004,0076B520,0072BDE7), ref: 0072BC2E
    • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,0072BB62,00000004,0076B520,0072BDE7), ref: 0072BC49
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: InfoQuerySystemVirtual
    • String ID: D
    • API String ID: 401686933-2746444292
    • Opcode ID: fb5d00a0ce49907c84b60feb4a31a3085f42c37b9ca364bd32e9637c79e7928e
    • Instruction ID: 6414c41eca7a3387c813acc0753aa713c1f7ef892da7decfee01b740d00f0503
    • Opcode Fuzzy Hash: fb5d00a0ce49907c84b60feb4a31a3085f42c37b9ca364bd32e9637c79e7928e
    • Instruction Fuzzy Hash: E0012B72600119ABDB14DE29DC05BDE7BA9AFC4324F0CC221FD19D7150DB3CDC528690
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007312B4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0072C17E), ref: 007313AC
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0072C17E), ref: 007313B6
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0072C17E), ref: 007313C3
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: fd0cf6a93ef8eeb93ebdd8f88f355b4aa733f88d9538a16ddfb8d5fe28c35d36
    • Instruction ID: 5517682341979b994f3a9cfba37066f7cdb8721ed478743fd51964b5c6fb04db
    • Opcode Fuzzy Hash: fd0cf6a93ef8eeb93ebdd8f88f355b4aa733f88d9538a16ddfb8d5fe28c35d36
    • Instruction Fuzzy Hash: F931C27590122CABCB21DF64D8897DDBBB8BF18310F5081EAE81CA7251EB749F818F55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007386E8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID: .
    • API String ID: 0-248832578
    • Opcode ID: 32debe6d0bebb4eccefea32b292f76efcf27135827cb0137d12c751450231ed1
    • Instruction ID: a78434dfdb10656d1a2e575931820ddda92e754e1971f0e9760637fbf5b1e873
    • Opcode Fuzzy Hash: 32debe6d0bebb4eccefea32b292f76efcf27135827cb0137d12c751450231ed1
    • Instruction Fuzzy Hash: B1313771800249AFEB64DE78CC84EFB7BBEDB81314F2401A8F41897253EA389D408B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0073AA50 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bfdb16e9976882d12b85e4a6a493654685016078fef5a2c446867b91eb1d5b38
    • Instruction ID: bc4923a877e87f1c647a893b02d97e55e6727bc8d24fdf2b5b5b01b3e2e67498
    • Opcode Fuzzy Hash: bfdb16e9976882d12b85e4a6a493654685016078fef5a2c446867b91eb1d5b38
    • Instruction Fuzzy Hash: 80026C72E00219AFEF14CFA8C8816ADF7F1EF88314F258269D859E7345D735AA418B91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00726CF5 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00726D2B
    • GetNumberFormatW.KERNEL32(00000400,00000000,?,0074E6E4,?,?), ref: 00726D74
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FormatInfoLocaleNumber
    • String ID:
    • API String ID: 2169056816-0
    • Opcode ID: 4975e1b2f6425825dc6ce5d9020a23d645c910334ac59fc3261e672892942186
    • Instruction ID: f7f004eeb7ac53f35ed2388652b9d6b8bff0d44fab00bb332eaf788600d89609
    • Opcode Fuzzy Hash: 4975e1b2f6425825dc6ce5d9020a23d645c910334ac59fc3261e672892942186
    • Instruction Fuzzy Hash: 62117979211308ABDB00DF64DC01FEB73B8EF18710F00942ABA02A7291D778A905CB6A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0073EE32 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0073EE2D,?,?,00000008,?,?,0073EACD,00000000), ref: 0073F05F
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: ba130b7acad801d4e4ff625e666d9398554b219755e2eb975f82a6a145912142
    • Instruction ID: 4deec8592fd9dfd7104bb38cdad9ee53b5f69b093e978c02f891dfaabad90010
    • Opcode Fuzzy Hash: ba130b7acad801d4e4ff625e666d9398554b219755e2eb975f82a6a145912142
    • Instruction Fuzzy Hash: DEB12D71510609DFE719CF28C48AB657BE0FF45364F258668E899CF2E2C379E991CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072D05E Relevance: 1.6, APIs: 1, Instructions: 147COMMON
    Download Yara Rule
    APIs
    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0072D074
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FeaturePresentProcessor
    • String ID:
    • API String ID: 2325560087-0
    • Opcode ID: 78bc3ba12fddb706475d3fe5d3d2ec348959c46ff27de9cc2bbbc95082763a31
    • Instruction ID: bdfa882bc47def40d605ba8ec4c4b828d61033bf9738e3ae88b129503e8d5416
    • Opcode Fuzzy Hash: 78bc3ba12fddb706475d3fe5d3d2ec348959c46ff27de9cc2bbbc95082763a31
    • Instruction Fuzzy Hash: D8515CB1910219CFEB29CFA9E8857AAB7F4FB45320F15842AD405EB650D379ED41CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00715032 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • GetVersionExW.KERNEL32(?), ref: 00715063
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Version
    • String ID:
    • API String ID: 1889659487-0
    • Opcode ID: 7892db4a94b2b0add24bb30070114f6e42722269bff62bdf16d7ae097f967c41
    • Instruction ID: 6d5c03bb4cab4a44ca07da53821925957953bfbdb8f6b7c267a5a350a308562a
    • Opcode Fuzzy Hash: 7892db4a94b2b0add24bb30070114f6e42722269bff62bdf16d7ae097f967c41
    • Instruction Fuzzy Hash: 9D012874A00308CBD768CF78EC41ADD77E2BB89324F608619E91A933E1D778A9458B48
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072D3E5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_0001D400,0072CE75), ref: 0072D3EA
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: f8ffe14ed39ac6d02485ef7e023e6f46b5fba56c18b779ac9d1e6ff03224e4e6
    • Instruction ID: fe999e55c322345c5e912f7a842bcdc7bd5ab596ecf3819d844f9fc4707fb8a0
    • Opcode Fuzzy Hash: f8ffe14ed39ac6d02485ef7e023e6f46b5fba56c18b779ac9d1e6ff03224e4e6
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007393D0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: a25084160565824a2fd62e7cce49df937521ace26cf01ca2b925ccb7b6b380df
    • Instruction ID: 106e20a8e8801dc9e75a0a24db12781b9e48e3f274d54ccfb4c95d501590dccd
    • Opcode Fuzzy Hash: a25084160565824a2fd62e7cce49df937521ace26cf01ca2b925ccb7b6b380df
    • Instruction Fuzzy Hash: 13A011302003008BA3008F32AE082883AAAAA03280B00C02AE002C0230EB2880A08F08
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00718D89 Relevance: .7, Instructions: 694COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 10cbf7604baf462b1d0f7a410d3f9693d953a90b2e1a079bcb30284bb94946d4
    • Instruction ID: fc179c630938822ea5f8f8f75cbedb8242d9c25aa51031652af827fd69e780c4
    • Opcode Fuzzy Hash: 10cbf7604baf462b1d0f7a410d3f9693d953a90b2e1a079bcb30284bb94946d4
    • Instruction Fuzzy Hash: 62525A726187018FC718CF19C891A6AF7E1FFCC304F498A2DE5869B245D334EA59CB86
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00720870 Relevance: .6, Instructions: 621COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 50449acbe6f4897524f01571dc49c54ba359814abd1db9f6757c816ad239f25f
    • Instruction ID: 1fe14c985d5543bf1fc272dd10fc1bac799689ef4be5443368b1aa3068e932a3
    • Opcode Fuzzy Hash: 50449acbe6f4897524f01571dc49c54ba359814abd1db9f6757c816ad239f25f
    • Instruction Fuzzy Hash: 0D22D571504325DFC724EF28FC9442AB7E1FB84320F154A1DE492A73A2D778A9458FE6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071837D Relevance: .3, Instructions: 284COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: afdc15755f878ab6e0f407b24023f1a31475f18d3f852d5dbbca84b015a20957
    • Instruction ID: 58660afdefd67ed88f1b15b195bebe663a6e6368bfbfcad8ef3411b3f7a17310
    • Opcode Fuzzy Hash: afdc15755f878ab6e0f407b24023f1a31475f18d3f852d5dbbca84b015a20957
    • Instruction Fuzzy Hash: 20D1717450C3C58FC708CF19F8908AABBF0AB9A301F08895EF5D587352C679E615CBA6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007327A7 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1ce8fbc00be22a39b2e0a3e27034b02679f00b277de82e2fa071cb9c18e16970
    • Instruction ID: 111a5fa143de0778ef6faa4ed3ca58e3045bbe40608aba97f6c2e1c7b614a0fc
    • Opcode Fuzzy Hash: 1ce8fbc00be22a39b2e0a3e27034b02679f00b277de82e2fa071cb9c18e16970
    • Instruction Fuzzy Hash: 17617A71700719A6FE389A2848557FE23D4EB51B50F14451AE983EF283D61DFE83C356
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00732578 Relevance: .2, Instructions: 214COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction ID: 5a2036721fb620c1bd57bc5161464500953a4aad66de26475828deba15d09305
    • Opcode Fuzzy Hash: 5deea3b29f66a918188f7a75532971316276c2599c24e1ebb0fa75850081f94e
    • Instruction Fuzzy Hash: 1A517771201B48D7FF34596C846B7BE23D59F15300F18095AE982D7AA3DA0DDF438762
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00718934 Relevance: .2, Instructions: 171COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 8e74dba8e03739ccc2345c1b1eec8ba989529b5d9f806db69d62970ca39893fb
    • Instruction ID: 26f740711fcdbd7d4e52abe278410ea1c1023c983247108546efdaad156452e3
    • Opcode Fuzzy Hash: 8e74dba8e03739ccc2345c1b1eec8ba989529b5d9f806db69d62970ca39893fb
    • Instruction Fuzzy Hash: 535116715083D58FC711DF2CD4448AEBFE0AF9A324F09499AE4E54B182D639EB89CB53
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00712606 Relevance: .1, Instructions: 106COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7390a92b67c97bb6386d99c391e49f1c7c7cf1a0797bcbd692ebf4bf6df5b084
    • Instruction ID: a036bbe7ae1bf30c4deef68af3c9693e09b967e293d7379937fe79384cb4ad1c
    • Opcode Fuzzy Hash: 7390a92b67c97bb6386d99c391e49f1c7c7cf1a0797bcbd692ebf4bf6df5b084
    • Instruction Fuzzy Hash: 2D41F870501B11CFC71ADF38D5459D6B7E0FF4A700B0248AFD06A8B6A2EB34EA48DB59
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072E430 Relevance: .1, Instructions: 76COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction ID: 735a08266316c2123a856fbf262dd101f6ed4f299f026c90b3906126cc150f93
    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
    • Instruction Fuzzy Hash: 9311507B3010F187D614EA3DF8B45B7E795EBC6321F2C837AF0418B754D22AD9459640
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00717B5C Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 240COMMON
    Download Yara Rule
    APIs
    • _swprintf.LIBCMT ref: 00717B9C
      • Part of subcall function 00714C1E: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00714C31
      • Part of subcall function 0071BBC8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00717BB8,?,00000000,00000000,?,?,?,00717BB8,?,?,00000050), ref: 0071BBE5
    • SetDlgItemTextW.USER32(?,0074E16C,?), ref: 00717C16
    • GetWindowRect.USER32(?,?), ref: 00717C4C
    • GetClientRect.USER32(?,?), ref: 00717C58
    • GetWindowLongW.USER32(?,000000F0), ref: 00717D03
    • GetWindowRect.USER32(?,?), ref: 00717D33
    • SetWindowTextW.USER32(?,?), ref: 00717D62
    • GetSystemMetrics.USER32(00000008), ref: 00717D6A
    • GetWindow.USER32(?,00000005), ref: 00717D75
    • GetWindowRect.USER32(00000000,?), ref: 00717DA5
    • GetWindow.USER32(00000000,00000002), ref: 00717E17
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_swprintf
    • String ID: $%s:$CAPTION$d$lt
    • API String ID: 3208934588-3387979657
    • Opcode ID: 0d2a3ba9effc5b0d46995c265d4886f8deb3e6478f276ec6110a5c6f4c6aeae7
    • Instruction ID: 609c2d70e9a0a46c0926654f7f04330f1c86756f8eb6bbdc4dcbcfd6298ea172
    • Opcode Fuzzy Hash: 0d2a3ba9effc5b0d46995c265d4886f8deb3e6478f276ec6110a5c6f4c6aeae7
    • Instruction Fuzzy Hash: FE81ADB2108305AFD315DF68CD89A6FBBF8EB89714F00491DF98593291D778E849CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00739EC2 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___free_lconv_mon.LIBCMT ref: 00739F06
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739ABE
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739AD0
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739AE2
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739AF4
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B06
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B18
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B2A
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B3C
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B4E
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B60
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B72
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B84
      • Part of subcall function 00739AA1: _free.LIBCMT ref: 00739B96
    • _free.LIBCMT ref: 00739EFB
      • Part of subcall function 00736B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?), ref: 00736B4A
      • Part of subcall function 00736B34: GetLastError.KERNEL32(?,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?,?), ref: 00736B5C
    • _free.LIBCMT ref: 00739F1D
    • _free.LIBCMT ref: 00739F32
    • _free.LIBCMT ref: 00739F3D
    • _free.LIBCMT ref: 00739F5F
    • _free.LIBCMT ref: 00739F72
    • _free.LIBCMT ref: 00739F80
    • _free.LIBCMT ref: 00739F8B
    • _free.LIBCMT ref: 00739FC3
    • _free.LIBCMT ref: 00739FCA
    • _free.LIBCMT ref: 00739FE7
    • _free.LIBCMT ref: 00739FFF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID: (t$`t
    • API String ID: 161543041-271191166
    • Opcode ID: edc442dd54fcb3e330f89baff9a217648822f48f90856868a0b363a8ee5d7d06
    • Instruction ID: 3959d68ab24d4a390fcb8feff613267a2eb72b9af1db62a72f1efcc44e1f4664
    • Opcode Fuzzy Hash: edc442dd54fcb3e330f89baff9a217648822f48f90856868a0b363a8ee5d7d06
    • Instruction Fuzzy Hash: FA311F72605606EFFB21AB39D849F56B3E9AF00310F248469F559D7593DBBAEC40CB20
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072CBE7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(0076B878,00000FA0,?,?,0072CBC5), ref: 0072CBF3
    • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0072CBC5), ref: 0072CBFE
    • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0072CBC5), ref: 0072CC0F
    • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0072CC21
    • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0072CC2F
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0072CBC5), ref: 0072CC52
    • DeleteCriticalSection.KERNEL32(0076B878,00000007,?,?,0072CBC5), ref: 0072CC75
    • CloseHandle.KERNEL32(00000000,?,?,0072CBC5), ref: 0072CC85
    Strings
    • kernel32.dll, xrefs: 0072CC0A
    • WakeAllConditionVariable, xrefs: 0072CC27
    • SleepConditionVariableCS, xrefs: 0072CC1B
    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0072CBF9
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
    • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
    • API String ID: 2565136772-3242537097
    • Opcode ID: ee423e89e176646a6e07bd2c94fcb7fc9398253e2f1c92b6407c2d498c5881f8
    • Instruction ID: 6b57574b06647fdeb3d76cc745017cb4b54c48b82f32a3ea7d9aafdcc3a4cbd9
    • Opcode Fuzzy Hash: ee423e89e176646a6e07bd2c94fcb7fc9398253e2f1c92b6407c2d498c5881f8
    • Instruction Fuzzy Hash: FE01F5B4640722ABDA312B787D0DA2A369CDF93B417058122FD09D3160CBBCC881C679
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00736671 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00736685
      • Part of subcall function 00736B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?), ref: 00736B4A
      • Part of subcall function 00736B34: GetLastError.KERNEL32(?,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?,?), ref: 00736B5C
    • _free.LIBCMT ref: 00736691
    • _free.LIBCMT ref: 0073669C
    • _free.LIBCMT ref: 007366A7
    • _free.LIBCMT ref: 007366B2
    • _free.LIBCMT ref: 007366BD
    • _free.LIBCMT ref: 007366C8
    • _free.LIBCMT ref: 007366D3
    • _free.LIBCMT ref: 007366DE
    • _free.LIBCMT ref: 007366EC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID: 0St
    • API String ID: 776569668-500467504
    • Opcode ID: 675e127613e9f3e1ac084db84645ebe6509930cae5ca5cd378f9e71d2af770db
    • Instruction ID: 958fa2375d2cddab4533bd11b2875d9aefadfe3102dc35769061ec3771db5918
    • Opcode Fuzzy Hash: 675e127613e9f3e1ac084db84645ebe6509930cae5ca5cd378f9e71d2af770db
    • Instruction Fuzzy Hash: BA11A4B6611148FFDF01EF54C846CD97BA5EF04350FA181A1BA088B623DA36DA51DF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007302A4 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 303COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CallFramesMatchNestedTypeUnexpectedUnwind_aborttype_info::operator==
    • String ID: TFt$csm$csm$csm
    • API String ID: 322700389-1365524959
    • Opcode ID: f1314c2b585428b52dbbfdddc9644307fe7d8641bd28489ac6ea4a85e4f80c58
    • Instruction ID: e6b6b44f2a5eb7140e033bb2875b4d6154207f80a15f53901c6726d559d6466e
    • Opcode Fuzzy Hash: f1314c2b585428b52dbbfdddc9644307fe7d8641bd28489ac6ea4a85e4f80c58
    • Instruction Fuzzy Hash: D2B18771800219EFEF15DFA4D9A59AEBBB5BF14310F14416AE815AB203D338DA61CFD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007249E2 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 157memoryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 007249E9
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
    • _wcslen.LIBCMT ref: 00724A4B
    • _wcslen.LIBCMT ref: 00724A6A
    • _wcslen.LIBCMT ref: 00724A86
    • GlobalAlloc.KERNEL32(00000040,?,00000000,007434A8,00000000,?,00000000,?,<html>,00000006,<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>,?), ref: 00724AFD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _wcslen$AllocGlobalH_prolog3_
    • String ID: </html>$<html>$<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head>$<style>body{font-family:"Arial";font-size:12;}</style>
    • API String ID: 1478282658-1533471033
    • Opcode ID: ee4ab26a659bf812ef567a501d8dce0a16e63ca1eb4421811a161e8435269aef
    • Instruction ID: b32c43a6c97ebfdf8469282c4f4423ba9e035a41d6ccc08e04efaa51bea5635a
    • Opcode Fuzzy Hash: ee4ab26a659bf812ef567a501d8dce0a16e63ca1eb4421811a161e8435269aef
    • Instruction Fuzzy Hash: 7051B571900258EFDB05EBA4DC49BEEBB78EF15310F100019E505BB182DB785E81CBA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072A6F6 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85windowCOMMON
    Download Yara Rule
    APIs
    • GetWindow.USER32(?,00000005), ref: 0072A724
    • GetClassNameW.USER32(00000000,?,00000080), ref: 0072A750
      • Part of subcall function 0071BF3C: CompareStringW.KERNEL32(00000400,00001001,D5FC40FB,000000FF,?,000000FF,007153ED,0000002E,-00000002,00000000,?,00000000,?,00000008,?,?), ref: 0071BF52
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0072A76C
    • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 0072A783
    • GetObjectW.GDI32(00000000,00000018,?), ref: 0072A797
    • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0072A7C0
    • DeleteObject.GDI32(00000000), ref: 0072A7C7
    • GetWindow.USER32(00000000,00000002), ref: 0072A7D0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
    • String ID: STATIC
    • API String ID: 3820355801-1882779555
    • Opcode ID: 17c22fec804c148632c56b42a11c288a0057a38c24556f329e30247a7b596ae5
    • Instruction ID: 3b16d7c6081bda5307ee40eda4183ebb8b95dce5b04e622ec6096ecdeed76b80
    • Opcode Fuzzy Hash: 17c22fec804c148632c56b42a11c288a0057a38c24556f329e30247a7b596ae5
    • Instruction Fuzzy Hash: C5210AB2144764BFE2226B24EC4AFBF77ACAF55710F004015FA42A6292D77C890546AA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00736F4A Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: __alldvrm$_strrchr
    • String ID: }(s$}(s$}(s
    • API String ID: 1036877536-2310250345
    • Opcode ID: 8881f98e90fdfbbaba227011bdafa62b0478987616c577047395685bcd86fc10
    • Instruction ID: 70406361624fb42a4df18484e1919681e93c93055bedda208c0d372266b4b595
    • Opcode Fuzzy Hash: 8881f98e90fdfbbaba227011bdafa62b0478987616c577047395685bcd86fc10
    • Instruction Fuzzy Hash: 7BA127B2A0838A9FFB39CF18C8817AEBBE5EF55350F2441ADE5959B243D23C8941C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072514E Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 174COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_wcslen
    • String ID: $</p>$</style>$<br>$<style>
    • API String ID: 3746244732-3393513139
    • Opcode ID: 39750edbb65401771d3c8ef73579f28468a3e1284ccdcfef6eed93603a76a457
    • Instruction ID: a8b3c8bf96529b0eb8dcc06f97944c4b44eee0f02f7e1621add20ad71d9daa9b
    • Opcode Fuzzy Hash: 39750edbb65401771d3c8ef73579f28468a3e1284ccdcfef6eed93603a76a457
    • Instruction Fuzzy Hash: 37515AA5B01B32D7DB309A14A8217BA73E1BF64355F944019FDC59B2C1E77D9E81C390
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00727630 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 95windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00711B78: GetDlgItem.USER32(00000000,00003021), ref: 00711BBC
      • Part of subcall function 00711B78: SetWindowTextW.USER32(00000000,00742668), ref: 00711BD2
    • EndDialog.USER32(?,00000001), ref: 00727680
    • SendMessageW.USER32(?,00000080,00000001,0001044F), ref: 007276A7
    • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,00050E1A), ref: 007276C0
    • GetDlgItem.USER32(?,00000065), ref: 007276DC
    • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 007276F0
    • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00727706
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: MessageSend$Item$DialogTextWindow
    • String ID: LICENSEDLG
    • API String ID: 3077722735-2177901306
    • Opcode ID: db0d7a3942ab9054995aec991f1c403f8540e8b956f40fbc7255e082064ecfb6
    • Instruction ID: 20fc52b36a002515f3b6d157f0b23304c5d193827ab150608236c2668965783e
    • Opcode Fuzzy Hash: db0d7a3942ab9054995aec991f1c403f8540e8b956f40fbc7255e082064ecfb6
    • Instruction Fuzzy Hash: 8D2106B1208724BFD2156F69FD0CE7B3B6CEB57785F018014F242E51A1C7AE9901C6BA
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00736765 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,00731C52,?,?,?,007316CD,00000050,?), ref: 00736769
    • _free.LIBCMT ref: 0073679C
    • _free.LIBCMT ref: 007367C4
    • SetLastError.KERNEL32(00000000,?), ref: 007367D1
    • SetLastError.KERNEL32(00000000,?), ref: 007367DD
    • _abort.LIBCMT ref: 007367E3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID: ht
    • API String ID: 3160817290-696075778
    • Opcode ID: 535df997cc940f4215a00ffcba76eb5518e8ff3ab133ae35f58d1314e890a5a8
    • Instruction ID: 1f11cfced43fd444d11b405fe8c83263a8f25e37bbf76078d56faeb6d68fe652
    • Opcode Fuzzy Hash: 535df997cc940f4215a00ffcba76eb5518e8ff3ab133ae35f58d1314e890a5a8
    • Instruction Fuzzy Hash: 59F0F436140600BAF2123324AC4EB2B1599ABC3739F608115F614D2693FF2D88028525
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007158D4 Relevance: 10.7, APIs: 7, Instructions: 197COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 007158DB
    • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,00000030), ref: 00715910
    • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 0071594F
    • _wcslen.LIBCMT ref: 0071595F
    • GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,00000030), ref: 007159DC
    • GetFullPathNameW.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,00000030), ref: 00715A1E
    • _wcslen.LIBCMT ref: 00715A2E
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FullNamePath$_wcslen$H_prolog3_
    • String ID:
    • API String ID: 840513527-0
    • Opcode ID: 4d1e7c7793d33a35a4bad07517b14683df309d49ee22f88ae3ac90f6bac33ab7
    • Instruction ID: f4b1cf5e0937d22580bbaa3142ec388e88daaeda6426e5afc327632c29f9f0e4
    • Opcode Fuzzy Hash: 4d1e7c7793d33a35a4bad07517b14683df309d49ee22f88ae3ac90f6bac33ab7
    • Instruction Fuzzy Hash: 08614F71E00608EADB18DFACD985AEEBBB9EFC4710F544219F411F7291DB789980CB21
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0073C992 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0073D107,?,00000000,?,00000000,00000000), ref: 0073C9D4
    • __fassign.LIBCMT ref: 0073CA4F
    • __fassign.LIBCMT ref: 0073CA6A
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 0073CA90
    • WriteFile.KERNEL32(?,?,00000000,0073D107,00000000,?,?,?,?,?,?,?,?,?,0073D107,?), ref: 0073CAAF
    • WriteFile.KERNEL32(?,?,00000001,0073D107,00000000,?,?,?,?,?,?,?,?,?,0073D107,?), ref: 0073CAE8
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: def721eed56b483f6a0549cc88a56b8aee87f28877ac8357a3e852a8a39be722
    • Instruction ID: ee01740c1b9c77bf863833d61b9a4f4b4f2c5b75f2b984631f123e026de91116
    • Opcode Fuzzy Hash: def721eed56b483f6a0549cc88a56b8aee87f28877ac8357a3e852a8a39be722
    • Instruction Fuzzy Hash: BA51D6B0A002499FEB11CFA8DC85AEEFBF8EF09310F14811AE955F7252E734A941CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00725335 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 115COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0072533C
    • ShowWindow.USER32(?,00000000,00000038), ref: 00725364
    • GetWindowRect.USER32(?,?), ref: 007253A8
    • ShowWindow.USER32(?,00000005,?,00000000), ref: 00725443
    • ShowWindow.USER32(00000000,00000005), ref: 00725464
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Window$Show$H_prolog3_Rect
    • String ID: RarHtmlClassName
    • API String ID: 950582801-1658105358
    • Opcode ID: 3b19b8310cabc550cded262660088c0a3afc092f8153132c5bc369401350a5bd
    • Instruction ID: b67e06f6675a04347cfeb1fa726c2ecd3ae6fb62969ec4cc6e56b5d97f04930b
    • Opcode Fuzzy Hash: 3b19b8310cabc550cded262660088c0a3afc092f8153132c5bc369401350a5bd
    • Instruction Fuzzy Hash: 7D419FB1900218EFDF15EFA4ED89AAEBBB8FF48301F148155F945AB152DB78D840CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00739C44 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00739C08: _free.LIBCMT ref: 00739C31
    • _free.LIBCMT ref: 00739C92
      • Part of subcall function 00736B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?), ref: 00736B4A
      • Part of subcall function 00736B34: GetLastError.KERNEL32(?,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?,?), ref: 00736B5C
    • _free.LIBCMT ref: 00739C9D
    • _free.LIBCMT ref: 00739CA8
    • _free.LIBCMT ref: 00739CFC
    • _free.LIBCMT ref: 00739D07
    • _free.LIBCMT ref: 00739D12
    • _free.LIBCMT ref: 00739D1D
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: b35873524a760c03ab9487437f634a877bcf59d48e38088abdb566b69e001564
    • Instruction ID: 16d453ba3835b61b63b865ee793b43d0099c26ed1a1b08b89dc2a76ef1d63c86
    • Opcode Fuzzy Hash: b35873524a760c03ab9487437f634a877bcf59d48e38088abdb566b69e001564
    • Instruction Fuzzy Hash: AA111271641704F6EAA0B770CC0BFCBB7DC6F04700F509D25B399E6553D6AAF5058A61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007367E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(0072C17E,0072C17E,?,00736938,00736BB1,?,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E,?), ref: 007367EE
    • _free.LIBCMT ref: 00736823
    • _free.LIBCMT ref: 0073684A
    • SetLastError.KERNEL32(00000000,?,0072C17E), ref: 00736857
    • SetLastError.KERNEL32(00000000,?,0072C17E), ref: 00736860
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID: ht
    • API String ID: 3170660625-696075778
    • Opcode ID: 5d1627e32a489c0d528e53e7a03f58c8306d84561db50d4f9ead6cc2779806ca
    • Instruction ID: f2543a41273d0d1ad0275adc2878b16b03bbc1f42a2e250b6176e63ed365bc6f
    • Opcode Fuzzy Hash: 5d1627e32a489c0d528e53e7a03f58c8306d84561db50d4f9ead6cc2779806ca
    • Instruction Fuzzy Hash: 2F01F976241600BBF21237646C4996B265AEBDA374F308039F605E21A3EF3DC8168465
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072BB68 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,?,0072BBE3,0072BB46,0072BDE7), ref: 0072BB7F
    • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0072BB95
    • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0072BBAA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AddressProc$HandleModule
    • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
    • API String ID: 667068680-1718035505
    • Opcode ID: a57fdca50f0cb172cd9d7a6c5873454911a65dff845668d447a4ae160232d1ca
    • Instruction ID: 5e62c4d958ed6a8e775be1df8263d5d5b3166f8eecd76a0ff81340f43288c48d
    • Opcode Fuzzy Hash: a57fdca50f0cb172cd9d7a6c5873454911a65dff845668d447a4ae160232d1ca
    • Instruction Fuzzy Hash: 6EF0CDF63417339B4B314FA07CC5AA623C89A47761314453AE903E2159E76CCC92A6E4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00735EE0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00735EFE
      • Part of subcall function 00736B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?), ref: 00736B4A
      • Part of subcall function 00736B34: GetLastError.KERNEL32(?,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?,?), ref: 00736B5C
    • _free.LIBCMT ref: 00735F10
    • _free.LIBCMT ref: 00735F23
    • _free.LIBCMT ref: 00735F34
    • _free.LIBCMT ref: 00735F45
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID: 0t
    • API String ID: 776569668-555663880
    • Opcode ID: e37f76660e996423f4107f4128d607b14997d17e8b92b28622ee9033207a0af0
    • Instruction ID: a105ec046a017e3ecc1c43f77d518c165f2a0ba15bdb9a939ab5e84307cd8dcf
    • Opcode Fuzzy Hash: e37f76660e996423f4107f4128d607b14997d17e8b92b28622ee9033207a0af0
    • Instruction Fuzzy Hash: 47F0B4B1901320DBE6016FA4BC068557760F70A730B25C506F402C3672C7BE48818F9C
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00737D00 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00732DD9,00732DD9,?,?,?,00737F51,00000001,00000001,54E85006), ref: 00737D5A
    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00737F51,00000001,00000001,54E85006,?,?,?), ref: 00737DE0
    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,54E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00737EDA
    • __freea.LIBCMT ref: 00737EE7
      • Part of subcall function 00736B6E: RtlAllocateHeap.NTDLL(00000000,0072C17E,?,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E,?,?,?,?), ref: 00736BA0
    • __freea.LIBCMT ref: 00737EF0
    • __freea.LIBCMT ref: 00737F15
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$AllocateHeap
    • String ID:
    • API String ID: 1414292761-0
    • Opcode ID: 9042f9d823d21795c258bef7531ff691a930504f2943363c205857e0ffed6b9c
    • Instruction ID: 50e8516dafed184369d681d3f4c4ba7e526d6a07ef36c2f6dcd80a31a6653399
    • Opcode Fuzzy Hash: 9042f9d823d21795c258bef7531ff691a930504f2943363c205857e0ffed6b9c
    • Instruction Fuzzy Hash: 3351F1B2654216ABFB398F60CC45EBF77A9EF44750F144A69FC04E6182EB38DC51C690
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007263C4 Relevance: 9.1, APIs: 6, Instructions: 102timeCOMMON
    Download Yara Rule
    APIs
    • FileTimeToSystemTime.KERNEL32(?,?,D5FC40FB,?,?,?,?,007409B1,000000FF), ref: 00726413
    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?,?,?,007409B1,000000FF), ref: 00726422
    • SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,007409B1,000000FF), ref: 00726430
    • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,007409B1,000000FF), ref: 0072643E
    • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032,?,?,?,?,007409B1,000000FF), ref: 00726459
    • GetTimeFormatW.KERNEL32(00000400,?,?,00000000,?,00000032,?,?,?,?,007409B1,000000FF), ref: 00726483
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Time$System$File$Format$DateLocalSpecific
    • String ID:
    • API String ID: 909090443-0
    • Opcode ID: 0d83105f1b4add630a3f061e098c61c20befe7ec4d7efe557c05257baf74d12a
    • Instruction ID: 0123741802d8a3d1d974b837046d1eef885f4914ad54c53fac5b9c332bcc7e2f
    • Opcode Fuzzy Hash: 0d83105f1b4add630a3f061e098c61c20befe7ec4d7efe557c05257baf74d12a
    • Instruction Fuzzy Hash: D2313DB650028CABDB21DF64DC45EEF77ACFB09710F40411AFA05D7191EB78AA48CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072FF6A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,0072FF61,0072FEEC,0072D444), ref: 0072FF78
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0072FF86
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0072FF9F
    • SetLastError.KERNEL32(00000000,0072FF61,0072FEEC,0072D444), ref: 0072FFF1
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: d221a0fac3bb280721b02799f4e8f120c7285acb96f70134fe0d25ee7ee0739c
    • Instruction ID: cbd9125dd8ff3e6c91e5d1586a07dec1be5195ed9414610d48ba8775657091b7
    • Opcode Fuzzy Hash: d221a0fac3bb280721b02799f4e8f120c7285acb96f70134fe0d25ee7ee0739c
    • Instruction Fuzzy Hash: 4F018436219332EEB72627B47D8996A2BA5EF13774B20423BF214451F2EF5D4C119248
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00724D65 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _wcslen$H_prolog3
    • String ID: &nbsp;$<br>
    • API String ID: 1035939448-26742755
    • Opcode ID: 98ef713243bcbb226db1b63d939fba4db5cb0ce458368b53a071c56abb1ab81c
    • Instruction ID: bc4752b9794ea0448569783b3930d3c07c632593de7c0d3fc8892bf878496a57
    • Opcode Fuzzy Hash: 98ef713243bcbb226db1b63d939fba4db5cb0ce458368b53a071c56abb1ab81c
    • Instruction Fuzzy Hash: DE418131B00221DBEB24DF54E885A3D7332FB94704F61842DE5159F2C2EBB89992CBD1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072AE2D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0072AE34
    • SetEnvironmentVariableW.KERNEL32(sfxcmd,?,?,?,?,?,?,00000028), ref: 0072AE4C
    • SetEnvironmentVariableW.KERNEL32(sfxpar,?,?,?,?,?,?,?,00000028), ref: 0072AEB7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: EnvironmentVariable$H_prolog3_
    • String ID: sfxcmd$sfxpar
    • API String ID: 3605364767-3493335439
    • Opcode ID: ca04e71f376b0421ba53056fdde3947587b7981567aec43526f06796fd2e6975
    • Instruction ID: 3d1d5e6092576d350bae9ec3d85aa9959a89e20f0ae3c434ece620b1e098c000
    • Opcode Fuzzy Hash: ca04e71f376b0421ba53056fdde3947587b7981567aec43526f06796fd2e6975
    • Instruction Fuzzy Hash: 9A213BB0D00218EFCB15DFA8E9899EDB7B9EF08300F50441AF541B7341EB38AA45CBA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00727745 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58windowCOMMON
    Download Yara Rule
    APIs
    • LoadBitmapW.USER32(00000065), ref: 00727755
    • GetObjectW.GDI32(00000000,00000018,?), ref: 0072777A
    • DeleteObject.GDI32(00000000), ref: 007277AC
    • DeleteObject.GDI32(00000000), ref: 007277CF
      • Part of subcall function 00725C5C: FindResourceW.KERNEL32(?,PNG,00000000,?,?,?,007277A5,00000066), ref: 00725C6F
      • Part of subcall function 00725C5C: SizeofResource.KERNEL32(00000000,?,?,?,007277A5,00000066), ref: 00725C86
      • Part of subcall function 00725C5C: LoadResource.KERNEL32(00000000,?,?,?,007277A5,00000066), ref: 00725C9D
      • Part of subcall function 00725C5C: LockResource.KERNEL32(00000000,?,?,?,007277A5,00000066), ref: 00725CAC
      • Part of subcall function 00725C5C: GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,007277A5,00000066), ref: 00725CC7
      • Part of subcall function 00725C5C: GlobalLock.KERNEL32(00000000,?,?,?,?,?,007277A5,00000066), ref: 00725CD8
      • Part of subcall function 00725C5C: GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00725D41
      • Part of subcall function 00725C5C: GlobalUnlock.KERNEL32(00000000), ref: 00725D60
      • Part of subcall function 00725C5C: GlobalFree.KERNEL32(00000000), ref: 00725D67
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: GlobalResource$Object$BitmapDeleteLoadLock$AllocCreateFindFreeFromGdipSizeofUnlock
    • String ID: ]
    • API String ID: 1428510222-3352871620
    • Opcode ID: 56bfe99b7aab94077a89c60662f15724f0ca4587097de22cbb6e50e0e5c7685a
    • Instruction ID: a91385c0cc87b43641e5b58120ee473daf83b00e0493f3e32e34f5e098b90ea9
    • Opcode Fuzzy Hash: 56bfe99b7aab94077a89c60662f15724f0ca4587097de22cbb6e50e0e5c7685a
    • Instruction Fuzzy Hash: F101D232544B22E7C7122BA4AE0AA7F367AAB90B56F040010F901B7390DBBD8D0586B1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00735447 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,007353F8,007363DC,?,00735398,007363DC,0074C1F0,0000000C,007354EF,007363DC,00000002), ref: 00735467
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0073547A
    • FreeLibrary.KERNEL32(00000000,?,?,?,007353F8,007363DC,?,00735398,007363DC,0074C1F0,0000000C,007354EF,007363DC,00000002,00000000), ref: 0073549D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: e60ced80152f0f9c19c83eea35c54a1f2b6f97c317ec2c567958ed69a9759179
    • Instruction ID: d7c5b38bb2c7087cdfb274aecfdd39309b98602d21c0bd91b19179303dab570d
    • Opcode Fuzzy Hash: e60ced80152f0f9c19c83eea35c54a1f2b6f97c317ec2c567958ed69a9759179
    • Instruction Fuzzy Hash: 27F0C235A0060CBBDB159F90EC09BAEBFF4EF05766F408065F805A2162EB7C4E91CB84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00718C09 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0071A473: __EH_prolog3_GS.LIBCMT ref: 0071A47A
      • Part of subcall function 0071A473: GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0071A4AF
    • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00718C28
    • GetProcAddress.KERNEL32(0075A138,CryptUnprotectMemory), ref: 00718C38
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AddressProc$DirectoryH_prolog3_System
    • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
    • API String ID: 270589589-1753850145
    • Opcode ID: 4c2ecb9fdf6c05841e39ac94d382ae543492590fc011c01784b7249f13046f9f
    • Instruction ID: 950285ca60d1e58f6d023d23f609f2d3c2230eedbf62a0423b2889cf60c8b008
    • Opcode Fuzzy Hash: 4c2ecb9fdf6c05841e39ac94d382ae543492590fc011c01784b7249f13046f9f
    • Instruction Fuzzy Hash: E8E0DFB0901742AECB315F389C087827ED49F04700B04C85EF0C6C2192DBBCD0D18B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0073004D Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AdjustPointer$_abort
    • String ID:
    • API String ID: 2252061734-0
    • Opcode ID: a0fb88c7eee023d40d8378811600b1c3c9c3e52f54ffa57ed031fbdfee81034d
    • Instruction ID: 78c1c72fec8b8b14ae3a8a02c90da738de6b93d2f208b3930a15f406d67ab8c2
    • Opcode Fuzzy Hash: a0fb88c7eee023d40d8378811600b1c3c9c3e52f54ffa57ed031fbdfee81034d
    • Instruction Fuzzy Hash: 2B51AF72A0120AEFFB298F58D865BAA77A4FF40710F14452DE815872A3E739ED40C7D1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00714862 Relevance: 7.7, APIs: 5, Instructions: 161filetimeCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00714869
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?), ref: 007148F4
    • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?), ref: 0071494B
    • SetFileTime.KERNEL32(?,00000000,00000000,00000000), ref: 00714A0D
    • CloseHandle.KERNEL32(?), ref: 00714A14
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: File$Create$CloseH_prolog3_HandleTime
    • String ID:
    • API String ID: 4002707884-0
    • Opcode ID: 0cf78b46c21f258771396339a5ecd0f6e6cd0cc47a99db8e1bb279357dbb26f7
    • Instruction ID: fc0eedf6f7277982ae59bb5ce643b07342bb815e43d80ed10f534d2a17619dc9
    • Opcode Fuzzy Hash: 0cf78b46c21f258771396339a5ecd0f6e6cd0cc47a99db8e1bb279357dbb26f7
    • Instruction Fuzzy Hash: A4519E70E00249ABEF15DFE8D849BEDBBB5AF09310F244119F451B72C1D738AA84CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007392D0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 007392D9
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007392FC
      • Part of subcall function 00736B6E: RtlAllocateHeap.NTDLL(00000000,0072C17E,?,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E,?,?,?,?), ref: 00736BA0
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00739322
    • _free.LIBCMT ref: 00739335
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00739344
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
    • String ID:
    • API String ID: 336800556-0
    • Opcode ID: 21739706fff7a80808373f0a526829f73084dad48970828ece1de08265c1b641
    • Instruction ID: c09a843bc622ce9d2446303fc7fed45cede343d9d3664bd07dac578e361b8293
    • Opcode Fuzzy Hash: 21739706fff7a80808373f0a526829f73084dad48970828ece1de08265c1b641
    • Instruction Fuzzy Hash: 1C0184B66426157F732116665CCCC7F6A6DDEC2B60B554129BA04C2192EAA98C1285B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00739B9F Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00739BB7
      • Part of subcall function 00736B34: RtlFreeHeap.NTDLL(00000000,00000000,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?), ref: 00736B4A
      • Part of subcall function 00736B34: GetLastError.KERNEL32(?,?,00739C36,?,00000000,?,00000000,?,00739C5D,?,00000007,?,?,0073A05A,?,?), ref: 00736B5C
    • _free.LIBCMT ref: 00739BC9
    • _free.LIBCMT ref: 00739BDB
    • _free.LIBCMT ref: 00739BED
    • _free.LIBCMT ref: 00739BFF
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 86cf371679be0dcb10a09df871f26228918db97735d13808f06370f6fbdd47dd
    • Instruction ID: d8811dd47d03d0cc3b8e9741df1b50874ec4950e1e5c0921808575cfcf09e48e
    • Opcode Fuzzy Hash: 86cf371679be0dcb10a09df871f26228918db97735d13808f06370f6fbdd47dd
    • Instruction Fuzzy Hash: 1FF012B2605210B7B660DB68F5C6C16B7D9BA01720F798806F149D7943CBBDFC808A78
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00729EED Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 350COMMON
    Download Yara Rule
    APIs
    • _wcslen.LIBCMT ref: 0072A104
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
    • __EH_prolog3_GS.LIBCMT ref: 0072A452
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _wcslen$H_prolog3_
    • String ID: .lnk$0$lnk
    • API String ID: 2000020936-906397761
    • Opcode ID: 9a47787f8f166881729d6fe9b81c9150651f688d82ac3bc23132d9979a55e47d
    • Instruction ID: 27a67ccf35f50ff96355f661995f602da41ce8d986b80b94f1dea83b7099fd49
    • Opcode Fuzzy Hash: 9a47787f8f166881729d6fe9b81c9150651f688d82ac3bc23132d9979a55e47d
    • Instruction Fuzzy Hash: 45E12D71904268DFDB24DBA4DC89BDDB7B8BF09300F5404AAE509A7292EB385BC4CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00729A86 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 291COMMON
    Download Yara Rule
    APIs
    • GetTempPathW.KERNEL32(00000105,00000000,00000000,0000020A), ref: 00729AC6
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
      • Part of subcall function 0071559C: _wcslen.LIBCMT ref: 007155AC
    • EndDialog.USER32(?,00000001), ref: 00729E3A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _wcslen$DialogPathTemp
    • String ID: $@set:user
    • API String ID: 2172748170-1503366402
    • Opcode ID: b0a6438f28dac5c9f1e327d4baeb4267b912c2e30a1a1fffff09c1acd6319d43
    • Instruction ID: 8547d2111d92ea8b77f1fa2c94a4134bc8b64c30d9f27c423860c4a31ad1b5d1
    • Opcode Fuzzy Hash: b0a6438f28dac5c9f1e327d4baeb4267b912c2e30a1a1fffff09c1acd6319d43
    • Instruction Fuzzy Hash: 65C16D71D00268DADF21DBA4DD49BDDBBB8AF15300F4440AAE949B7282DB785AC4CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00735542 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Kofc4rRZdp.exe,00000104), ref: 00735582
    • _free.LIBCMT ref: 0073564D
    • _free.LIBCMT ref: 00735657
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\Kofc4rRZdp.exe
    • API String ID: 2506810119-95934980
    • Opcode ID: 7aeb20772e97bd253987037c65d10650086c991549871680527ede342e15aa34
    • Instruction ID: bf728c33e290b71a1bfc10681984955d9f578e9d6e46ac594c7d1975d509e192
    • Opcode Fuzzy Hash: 7aeb20772e97bd253987037c65d10650086c991549871680527ede342e15aa34
    • Instruction Fuzzy Hash: D331B3B1A00608EFEB21DF94DC85D9EBBF9EF89710F244066F404D7212D6785A40CB94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00730649 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0073066E
    • _abort.LIBCMT ref: 00730779
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: EncodePointer_abort
    • String ID: MOC$RCC
    • API String ID: 948111806-2084237596
    • Opcode ID: ded52633e5cc4f2961b2b6f7b42ca85bdffebeebdfc7f2ffc95921169777c84d
    • Instruction ID: f82f0e615079de1e694f31a91085c26c2ba07a4b4796e38274128c0707a8359e
    • Opcode Fuzzy Hash: ded52633e5cc4f2961b2b6f7b42ca85bdffebeebdfc7f2ffc95921169777c84d
    • Instruction Fuzzy Hash: 71417971900209EFDF15CF98DD95AEEBBB5BF48300F148159F908A7222D339A961CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00717040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • __fprintf_l.LIBCMT ref: 007170C0
    • _strncpy.LIBCMT ref: 0071710B
      • Part of subcall function 0071BBC8: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00717BB8,?,00000000,00000000,?,?,?,00717BB8,?,?,00000050), ref: 0071BBE5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ByteCharMultiWide__fprintf_l_strncpy
    • String ID: $%s$@%s
    • API String ID: 562999700-834177443
    • Opcode ID: ea880f798da154119a388857a2e472b1e2d678a508648ab977709ca523da2d37
    • Instruction ID: 7e5b73724e4b3388de8163cbc03561ee1ee4588e9eef79cc669f1dcae758c139
    • Opcode Fuzzy Hash: ea880f798da154119a388857a2e472b1e2d678a508648ab977709ca523da2d37
    • Instruction Fuzzy Hash: C6216FB260430DEBEB24DEACCC45EEE77B8BB05310F040515FA1097292E738EA55CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072AF66 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID: RENAMEDLG$REPLACEFILEDLG
    • API String ID: 0-56093855
    • Opcode ID: 5e5769af5987c6f4163068197d988a38ca12888fd47765ff83ab772f65a100ce
    • Instruction ID: 637411641b8ef7b6caa14881a1478e877903323689deb58e0252665b58d8b2ad
    • Opcode Fuzzy Hash: 5e5769af5987c6f4163068197d988a38ca12888fd47765ff83ab772f65a100ce
    • Instruction Fuzzy Hash: EE1170B1605320BFC3218F15FD449677BA5E749355B04882AF447A3220D3BDE804DF6B
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00731082 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00731033,00000000,?,0076B8E8,?,?,?,007311D6,00000004,InitializeCriticalSectionEx,00745294,InitializeCriticalSectionEx), ref: 0073108F
    • GetLastError.KERNEL32(?,00731033,00000000,?,0076B8E8,?,?,?,007311D6,00000004,InitializeCriticalSectionEx,00745294,InitializeCriticalSectionEx,00000000,?,00730F8D), ref: 00731099
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 007310C1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID: api-ms-
    • API String ID: 3177248105-2084034818
    • Opcode ID: a8aaa1d85a834fc33d50d5aa5a8f77ed35f41975d49e6a0d1e0c2d44905883ba
    • Instruction ID: ccd33a6e4346fb579b58abd4a7c315daa5e7b3ee1170f631cc9f5cf4883ddc86
    • Opcode Fuzzy Hash: a8aaa1d85a834fc33d50d5aa5a8f77ed35f41975d49e6a0d1e0c2d44905883ba
    • Instruction Fuzzy Hash: EEE04834680208F7FB201B60EC06B193B99AB11B90F504021FA4CAD4E3D7699A61C988
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00739D28 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000000,54E85006,00731DA4,00000000,00000000,00732DD9,?,00732DD9,?,00000001,00731DA4,54E85006,00000001,00732DD9,00732DD9), ref: 00739D75
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00739DFE
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00739E10
    • __freea.LIBCMT ref: 00739E19
      • Part of subcall function 00736B6E: RtlAllocateHeap.NTDLL(00000000,0072C17E,?,?,0072D656,?,?,?,00000000,?,0072C08A,0072C17E,?,?,?,?), ref: 00736BA0
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
    • String ID:
    • API String ID: 2652629310-0
    • Opcode ID: c2a095a1529645d661f6ba5d291ecfe91f93e8eca2f09517522f57afc4e191d0
    • Instruction ID: b9182df6cd4cf697da13ae35bc0041e304dccc7bcab56ccd0c42d67e0686c057
    • Opcode Fuzzy Hash: c2a095a1529645d661f6ba5d291ecfe91f93e8eca2f09517522f57afc4e191d0
    • Instruction Fuzzy Hash: 7D31D872A1021AABEF24CF64DC45DEE7BA5EB00310F044168FD04D7292EB39CDA0CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00719ADC Relevance: 6.1, APIs: 4, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00719AE3
    • ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,?,?,?,?,?,00000010), ref: 00719AFA
    • ExpandEnvironmentStringsW.KERNEL32(?,?,?,00000000,?,?,?,?,?,00000010), ref: 00719B37
    • _wcslen.LIBCMT ref: 00719B47
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: EnvironmentExpandStrings$H_prolog3_wcslen
    • String ID:
    • API String ID: 3741103063-0
    • Opcode ID: ccd3157d934caa67c4ce5aa09b6a7f0ae0f40c2e752f1cc295ead9c337500324
    • Instruction ID: 990bca3b266400d71a4f11dbb4be6603d94b84b5e98cf76e4f08d33c94f72be7
    • Opcode Fuzzy Hash: ccd3157d934caa67c4ce5aa09b6a7f0ae0f40c2e752f1cc295ead9c337500324
    • Instruction Fuzzy Hash: AC1191B0A0521AEB9B14DF6898999FFB779FF41310B504119B511A7281DB38AD86CBB0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00715CF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00715CFE
      • Part of subcall function 00715032: GetVersionExW.KERNEL32(?), ref: 00715063
    • FoldStringW.KERNEL32(00000020,?,000000FF,00000000,00000000,0000000C,0072419F,?,?,?), ref: 00715D25
    • FoldStringW.KERNEL32(00000020,?,000000FF,?,00000008,00000000), ref: 00715D5F
    • _wcslen.LIBCMT ref: 00715D6A
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FoldString$H_prolog3Version_wcslen
    • String ID:
    • API String ID: 535866816-0
    • Opcode ID: 32310033c0384286c41b97672d174c5d8e1a6326a3ea2c1d75033bab6cd78cc1
    • Instruction ID: f5dde6da6055075ec9c2ded5b6907ad6ad349e3bd65058acdcf08737e946192d
    • Opcode Fuzzy Hash: 32310033c0384286c41b97672d174c5d8e1a6326a3ea2c1d75033bab6cd78cc1
    • Instruction Fuzzy Hash: 2F11C831A01525EAD704AF6CDC4E9BF7B78AF45720F140205F410A71D2CB389980C7E1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007380D4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,0073807B,?,00000000,00000000,00000000,?,00738278,00000006,FlsSetValue), ref: 00738106
    • GetLastError.KERNEL32(?,0073807B,?,00000000,00000000,00000000,?,00738278,00000006,FlsSetValue,00746870,FlsSetValue,00000000,00000364,?,00736837), ref: 00738112
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0073807B,?,00000000,00000000,00000000,?,00738278,00000006,FlsSetValue,00746870,FlsSetValue,00000000), ref: 00738120
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: a0b64c0ca0c31613614cede73e1e4b29deedd79d4fbf65452cba37f4dcea5982
    • Instruction ID: 2b6d5abb66ece05d56140a2087dcd774f472b9810206bcde6c5c6d80e15b4de1
    • Opcode Fuzzy Hash: a0b64c0ca0c31613614cede73e1e4b29deedd79d4fbf65452cba37f4dcea5982
    • Instruction Fuzzy Hash: A701473620133EABD7214B68DC44A563BA8EF06BA1F254125FA06D3142DF38C803C6E5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00715D94 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00715D9B
    • GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00716209,?,000000FF,\\?\,D5FC40FB,?,000000FF,?,?,0073FF80,000000FF), ref: 00715DA4
    • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,000000FF,?,?,0073FF80,000000FF), ref: 00715DD3
    • _wcslen.LIBCMT ref: 00715DDC
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CurrentDirectory$H_prolog3_wcslen
    • String ID:
    • API String ID: 19219720-0
    • Opcode ID: 268ddbdb0244ab04c021e66ab8e0f63a2f893ffe76067c0c90d37f339c8963a1
    • Instruction ID: ee9832f6af645d12c43228fea7c3dfbb3dce7fcef4a62214da3ee9f36b6bdda8
    • Opcode Fuzzy Hash: 268ddbdb0244ab04c021e66ab8e0f63a2f893ffe76067c0c90d37f339c8963a1
    • Instruction Fuzzy Hash: 5701A772D00525EA8B15AFF898099FF7B79AF81B20B544209F501AB281CB384941C7E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072CD5E Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • SleepConditionVariableCS.KERNELBASE(?,0072CCFB,00000064), ref: 0072CD81
    • LeaveCriticalSection.KERNEL32(0076B878,?,?,0072CCFB,00000064,?,?,?,?,?,00000000,00740349,000000FF), ref: 0072CD8B
    • WaitForSingleObjectEx.KERNEL32(?,00000000,?,0072CCFB,00000064,?,?,?,?,?,00000000,00740349,000000FF), ref: 0072CD9C
    • EnterCriticalSection.KERNEL32(0076B878,?,0072CCFB,00000064,?,?,?,?,?,00000000,00740349,000000FF), ref: 0072CDA3
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
    • String ID:
    • API String ID: 3269011525-0
    • Opcode ID: 1f2ee8062ec9d34b743c83786d22967f6b406ce542d29a0dcdc55e0ed42b80a0
    • Instruction ID: 3244e3c365eafbced44e0a5b8bb75333f3d6676f60e73e9b4942b93eb2cc70b3
    • Opcode Fuzzy Hash: 1f2ee8062ec9d34b743c83786d22967f6b406ce542d29a0dcdc55e0ed42b80a0
    • Instruction Fuzzy Hash: 00E09235681228FBCB022B61FC0899D3F1DEB07751B048132FA0A93120C7AD58A18BC8
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00725BFD Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • GetDC.USER32(00000000), ref: 00725C00
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00725C0F
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00725C1D
    • ReleaseDC.USER32(00000000,00000000), ref: 00725C2B
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CapsDevice$Release
    • String ID:
    • API String ID: 1035833867-0
    • Opcode ID: 63a3b7b24b00bf3064cf2b6dacce51d6a831268625d4173c641c6b4e7f081748
    • Instruction ID: fd1567d29571ed5afc8f723791d01e801462ccd71400b4ddad4452d146822b27
    • Opcode Fuzzy Hash: 63a3b7b24b00bf3064cf2b6dacce51d6a831268625d4173c641c6b4e7f081748
    • Instruction Fuzzy Hash: 3AE0EC31982B20EBD6222BB47D0DB9B3B54AB05B52F00C502F643AA194DBFC84048BA9
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071AE7D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 293COMMON
    Download Yara Rule
    APIs
    • __Init_thread_footer.LIBCMT ref: 0071B4A9
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
      • Part of subcall function 007277DE: __EH_prolog3_GS.LIBCMT ref: 007277E5
      • Part of subcall function 007277DE: GetLastError.KERNEL32(0000001C,0071B459,?,00000000,00000086,?,D5FC40FB,?,?,?,?,?,00000000,00740349,000000FF), ref: 007277FD
      • Part of subcall function 007277DE: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000,00740349,000000FF), ref: 00727836
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorLast$H_prolog3_Init_thread_footer_wcslen
    • String ID: %ls
    • API String ID: 1279724102-3246610740
    • Opcode ID: 89fdd49a8b2a3ceff00000c0c10a5e147c08b9e95e7d3ed4b3e9ce28fef37c56
    • Instruction ID: 129756eca45aacecaeb1452ec8dce1f61311db68879df578ad0bfcf4369ead7a
    • Opcode Fuzzy Hash: 89fdd49a8b2a3ceff00000c0c10a5e147c08b9e95e7d3ed4b3e9ce28fef37c56
    • Instruction Fuzzy Hash: A4B1C370809249EADB20EF58D94AFDD7BB4FF14B00F108419F942661D1EBBC9B99DA41
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00728EE2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 272fileCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00715D94: __EH_prolog3.LIBCMT ref: 00715D9B
      • Part of subcall function 00715D94: GetCurrentDirectoryW.KERNEL32(00000000,00000000,0000000C,00716209,?,000000FF,\\?\,D5FC40FB,?,000000FF,?,?,0073FF80,000000FF), ref: 00715DA4
      • Part of subcall function 00716449: __EH_prolog3_GS.LIBCMT ref: 00716450
      • Part of subcall function 00714CC7: __EH_prolog3_GS.LIBCMT ref: 00714CCE
      • Part of subcall function 00714A2F: __EH_prolog3_GS.LIBCMT ref: 00714A36
      • Part of subcall function 00714A2F: SetFileAttributesW.KERNELBASE(?,00000000,00000024,00714830,?,?,?,?,?,?,00000024,007142E9,?,00000001,00000000,?), ref: 00714A4C
      • Part of subcall function 00714A2F: SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000024), ref: 00714A8F
    • MoveFileW.KERNEL32(?,?), ref: 0072921E
    • MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00729238
      • Part of subcall function 00715F86: __EH_prolog3_GS.LIBCMT ref: 00715F8D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FileH_prolog3_$AttributesMove$CurrentDirectoryH_prolog3
    • String ID: .tmp
    • API String ID: 3107500630-2986845003
    • Opcode ID: b34f61c47527fda462830a2b7660f0a0a63a6f23b8c597ab0abf0b73d14dfef3
    • Instruction ID: d75c71f7bb67f231e13237267658aa9cf50c08020628e51198adda9238eef13d
    • Opcode Fuzzy Hash: b34f61c47527fda462830a2b7660f0a0a63a6f23b8c597ab0abf0b73d14dfef3
    • Instruction Fuzzy Hash: B3C1C471C00268DADB25DFA4D889BDDB7B8BF09300F5441EAE549B3291DB385AC9CF61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00725FAA Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 240COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00725C33: GetDC.USER32(00000000), ref: 00725C37
      • Part of subcall function 00725C33: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00725C42
      • Part of subcall function 00725C33: ReleaseDC.USER32(00000000,00000000), ref: 00725C4D
    • GetObjectW.GDI32(?,00000018,?), ref: 00725FEE
      • Part of subcall function 00726275: GetDC.USER32(00000000), ref: 0072627E
      • Part of subcall function 00726275: GetObjectW.GDI32(?,00000018,?), ref: 007262AD
      • Part of subcall function 00726275: ReleaseDC.USER32(00000000,?), ref: 00726345
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ObjectRelease$CapsDevice
    • String ID: (
    • API String ID: 1061551593-3887548279
    • Opcode ID: b851d6a2e825c8dbb53d7b86f2bd2aad3a7fd43e8037f271029da7e57af9709d
    • Instruction ID: 2f7ce35706b77837476b8b4b95052ea564dc61b27af366068e54b0a6d47bd0d6
    • Opcode Fuzzy Hash: b851d6a2e825c8dbb53d7b86f2bd2aad3a7fd43e8037f271029da7e57af9709d
    • Instruction Fuzzy Hash: 6E9103756093549FC720DF29D844A2BBBE8FFC9B14F10891EF58AD3261CB74A905CB62
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00728CAF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3_
    • String ID: <>t
    • API String ID: 2427045233-3298651070
    • Opcode ID: f79da743b17a25fa336aac12852ccf3fcba29b23ff29fc8f0df4613a5ffd1043
    • Instruction ID: 2c814faf24dc27cb39566d56c01b5b375f12c3b1b45a48ec7c67984bb0f39278
    • Opcode Fuzzy Hash: f79da743b17a25fa336aac12852ccf3fcba29b23ff29fc8f0df4613a5ffd1043
    • Instruction Fuzzy Hash: 90A15E71C00268DBCF65DF68DC48BDDB7B8BF09300F5041AAE549A7292DB789A89CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00738558 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 007386C4
      • Part of subcall function 007314AB: IsProcessorFeaturePresent.KERNEL32(00000017,0073147D,0072C17E,?,?,?,0072C17E,00000016,?,?,0073148A,00000000,00000000,00000000,00000000,00000000), ref: 007314AD
      • Part of subcall function 007314AB: GetCurrentProcess.KERNEL32(C0000417,?,0072C17E), ref: 007314CF
      • Part of subcall function 007314AB: TerminateProcess.KERNEL32(00000000,?,0072C17E), ref: 007314D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
    • String ID: *?$.
    • API String ID: 2667617558-3972193922
    • Opcode ID: b63559d0858a43ca95d39679e396630d290c71714544b7807d7bcc40eb2fce06
    • Instruction ID: 48d5544cd92e23490f8537a17a325a36a30c18d6fca8b73f00bf6fc73551fca2
    • Opcode Fuzzy Hash: b63559d0858a43ca95d39679e396630d290c71714544b7807d7bcc40eb2fce06
    • Instruction Fuzzy Hash: 2D518375E00209EFEF14DFA8C885AADB7B5FF58314F244169F854E7342EA399E018B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071F9D1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0071F9DB
      • Part of subcall function 00714C75: FindClose.KERNELBASE(00000000,000000FF,?,?,?,?,0071FA7D,0076B1E4,-00000070,00000000), ref: 00714C9D
      • Part of subcall function 0071CB19: _swprintf.LIBCMT ref: 0071CB52
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CloseFindH_prolog3__swprintf
    • String ID: zip$zipx
    • API String ID: 4097574867-1268445101
    • Opcode ID: d86111db2dc1ab03e8cdefa1ab3bba6afbba4ef99dab3ec7dd9ec7dc2a851098
    • Instruction ID: 47bb231cc35e2082dd2106995d84cdc28e79f8a2699c054f3d722e8cf57793df
    • Opcode Fuzzy Hash: d86111db2dc1ab03e8cdefa1ab3bba6afbba4ef99dab3ec7dd9ec7dc2a851098
    • Instruction Fuzzy Hash: 5F519DB0905204EBCB19DF68EC58AAD77B4BF45314F14812AF406E72E1DB7CA985CF15
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072FBA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
    Download Yara Rule
    APIs
    • ___except_validate_context_record.LIBVCRUNTIME ref: 0072FBDF
    • __IsNonwritableInCurrentImage.LIBCMT ref: 0072FC93
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CurrentImageNonwritable___except_validate_context_record
    • String ID: csm
    • API String ID: 3480331319-1018135373
    • Opcode ID: 5f2ccc04b91e6d9d749da13fdb7f338033630771bf3b39be03c20504f91c6935
    • Instruction ID: a77fb027fdcbae2dbcd78bd48508c631ccf621be8c7a3ad706c7c877153dd8f7
    • Opcode Fuzzy Hash: 5f2ccc04b91e6d9d749da13fdb7f338033630771bf3b39be03c20504f91c6935
    • Instruction Fuzzy Hash: BA41C238A0022DDBCF10DF68D894A9EBBB5FF45324F148175EC149B392C7399942CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00724B9E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 118COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00724BA5
      • Part of subcall function 00714FA6: __EH_prolog3.LIBCMT ref: 00714FAD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3
    • String ID: Shell.Explorer$about:blank
    • API String ID: 431132790-874089819
    • Opcode ID: 21f2efbc5ad14fda91008d39c766f7a0698d8d72e9dcd07fc2ea721c9f12eee7
    • Instruction ID: ab6bb1a72dfcc77162f121187a731e3aef96eb7bf56963c2c61fd272ad92654a
    • Opcode Fuzzy Hash: 21f2efbc5ad14fda91008d39c766f7a0698d8d72e9dcd07fc2ea721c9f12eee7
    • Instruction Fuzzy Hash: 69417F74701221DFDB18DF68E955B7A77B5BF88700F24805DE8069F2A1DB78AD41CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00738DC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00736765: GetLastError.KERNEL32(?,?,00731C52,?,?,?,007316CD,00000050,?), ref: 00736769
      • Part of subcall function 00736765: _free.LIBCMT ref: 0073679C
      • Part of subcall function 00736765: SetLastError.KERNEL32(00000000,?), ref: 007367DD
      • Part of subcall function 00736765: _abort.LIBCMT ref: 007367E3
      • Part of subcall function 00738EEE: _abort.LIBCMT ref: 00738F20
      • Part of subcall function 00738EEE: _free.LIBCMT ref: 00738F54
      • Part of subcall function 00738B5B: GetOEMCP.KERNEL32(00000000,?,?,00738DE4,?), ref: 00738B86
    • _free.LIBCMT ref: 00738E3F
    • _free.LIBCMT ref: 00738E75
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID: 0t
    • API String ID: 2991157371-555663880
    • Opcode ID: c2478ee3049b4251eadc1a36ace9470872fa843f1e40035a8fbadea482f4a2cb
    • Instruction ID: b6c4aac0a37f779aa20f181a08670cbc276864eb743144b734f71353bdcb35a6
    • Opcode Fuzzy Hash: c2478ee3049b4251eadc1a36ace9470872fa843f1e40035a8fbadea482f4a2cb
    • Instruction Fuzzy Hash: D131BC31904209EFEB50EFA8D845BADB7E5EF40720F25409AF4049B2A3EF7A9D41CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00727070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00711B78: GetDlgItem.USER32(00000000,00003021), ref: 00711BBC
      • Part of subcall function 00711B78: SetWindowTextW.USER32(00000000,00742668), ref: 00711BD2
    • EndDialog.USER32(?,00000001), ref: 007270DB
    • SetDlgItemTextW.USER32(?,00000067,?), ref: 00727119
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ItemText$DialogWindow
    • String ID: GETPASSWORD1
    • API String ID: 445417207-3292211884
    • Opcode ID: d76b776b7b4c70bc088f56d68cb5b9da7cb3e8d6f3b2c5ba339bb8b5976a2e7e
    • Instruction ID: eaa931bf3aa3744982f9d51f78946df250eb98c8627dee85f189f07f4b53a840
    • Opcode Fuzzy Hash: d76b776b7b4c70bc088f56d68cb5b9da7cb3e8d6f3b2c5ba339bb8b5976a2e7e
    • Instruction Fuzzy Hash: C31129B2608328ABD2359624AD49FFB779CEB85710F004829F745A70C1C66DA845C276
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00718C7E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00718C09: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00718C28
      • Part of subcall function 00718C09: GetProcAddress.KERNEL32(0075A138,CryptUnprotectMemory), ref: 00718C38
    • GetCurrentProcessId.KERNEL32(?,?,?,00718C79), ref: 00718D0C
    Strings
    • CryptUnprotectMemory failed, xrefs: 00718D04
    • CryptProtectMemory failed, xrefs: 00718CC3
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AddressProc$CurrentProcess
    • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
    • API String ID: 2190909847-396321323
    • Opcode ID: 0e1b1ed71ac00b7768e7692877548ce0ce6bcc69b691f980884d943ee6c5d733
    • Instruction ID: 12decf09b75c4d45f318c55a4129e2b95084b467b759188e3515e1182ba98d03
    • Opcode Fuzzy Hash: 0e1b1ed71ac00b7768e7692877548ce0ce6bcc69b691f980884d943ee6c5d733
    • Instruction Fuzzy Hash: 14112931B01728ABCB255F2CAC045EE3B65EF18760B04815AFC416B2D2DF7C9D9187E6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00736950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: _free
    • String ID: ht
    • API String ID: 269201875-696075778
    • Opcode ID: 601b91fcbc732adf1ed147bf6a06ce441a83bf320e9d704caa3523483336f78e
    • Instruction ID: c3df535d8a740ebab5fac71af350c71372a12857d35543d288b9ae38cb0a3b08
    • Opcode Fuzzy Hash: 601b91fcbc732adf1ed147bf6a06ce441a83bf320e9d704caa3523483336f78e
    • Instruction Fuzzy Hash: E411C871B01300A6F720AF78AC05B563794F741734F14C229F516DB5D2E7BCD8824785
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071CA6F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0071CA76
      • Part of subcall function 007114A3: _wcslen.LIBCMT ref: 007114B4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3__wcslen
    • String ID: .zipx$.zx
    • API String ID: 3251556500-3683210447
    • Opcode ID: 224aced744c15bb9af51b73e4e33d7688ad89301705ab92c3f6a023678641bed
    • Instruction ID: 184f1408ef131d7653d20635fd1d39bec38d8427c0ffc0cf25fe72955364083f
    • Opcode Fuzzy Hash: 224aced744c15bb9af51b73e4e33d7688ad89301705ab92c3f6a023678641bed
    • Instruction Fuzzy Hash: BB11217494034CDDDB02EBE8C89AADDBB78AF14354F444029E511BA2C2D7789A89CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072B03E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(0001044A), ref: 0072B06B
    • DialogBoxParamW.USER32(GETPASSWORD1,0001044A,00727070,?), ref: 0072B094
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: DialogParamVisibleWindow
    • String ID: GETPASSWORD1
    • API String ID: 3157717868-3292211884
    • Opcode ID: 9f511ea2da730519ded189f53adcd4faae7297e84e96aad4dbd5b10633955ebc
    • Instruction ID: 78389583f1eeee4d4a2c07a5c484831c6f230fc746dfb2bc82d904ad174ba70c
    • Opcode Fuzzy Hash: 9f511ea2da730519ded189f53adcd4faae7297e84e96aad4dbd5b10633955ebc
    • Instruction Fuzzy Hash: 1B01D6B1245361FBC7229F64EC45EA73B59AB01300F058115F856A3592C7AC9C45CF77
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00738EEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00736765: GetLastError.KERNEL32(?,?,00731C52,?,?,?,007316CD,00000050,?), ref: 00736769
      • Part of subcall function 00736765: _free.LIBCMT ref: 0073679C
      • Part of subcall function 00736765: SetLastError.KERNEL32(00000000,?), ref: 007367DD
      • Part of subcall function 00736765: _abort.LIBCMT ref: 007367E3
    • _abort.LIBCMT ref: 00738F20
    • _free.LIBCMT ref: 00738F54
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ErrorLast_abort_free
    • String ID: 0t
    • API String ID: 289325740-555663880
    • Opcode ID: 7d4f8ccbd6fe49187a935877d0ce359dbbf645cf59876186d119e66399c5f955
    • Instruction ID: 768d1b505883410da858eb5e26f65310116acaf077bb1de6fd720850f803b139
    • Opcode Fuzzy Hash: 7d4f8ccbd6fe49187a935877d0ce359dbbf645cf59876186d119e66399c5f955
    • Instruction Fuzzy Hash: 0B016D76D01733DBEBA1AF98940166DB361BB04B21F29460AF85463282CB7D7D018FC6
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00711B78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00717B5C: _swprintf.LIBCMT ref: 00717B9C
      • Part of subcall function 00717B5C: SetDlgItemTextW.USER32(?,0074E16C,?), ref: 00717C16
      • Part of subcall function 00717B5C: GetWindowRect.USER32(?,?), ref: 00717C4C
      • Part of subcall function 00717B5C: GetClientRect.USER32(?,?), ref: 00717C58
    • GetDlgItem.USER32(00000000,00003021), ref: 00711BBC
    • SetWindowTextW.USER32(00000000,00742668), ref: 00711BD2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: ItemRectTextWindow$Client_swprintf
    • String ID: 0
    • API String ID: 758586884-4108050209
    • Opcode ID: 3f9a8f57897d5dac6f1a50bb9a8a11b59f307893f1c60e575db4b2e0a04295a1
    • Instruction ID: 65d44a3869484a2410091304d9430ec81f453273179c99649815922da966bc74
    • Opcode Fuzzy Hash: 3f9a8f57897d5dac6f1a50bb9a8a11b59f307893f1c60e575db4b2e0a04295a1
    • Instruction Fuzzy Hash: A0F081B010D38CA7DF2A1FA98C09AF93B68AB06304F40C014FE85680D2D77CC8D4DA90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00737B32 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID:
    • String ID: ls$Zt
    • API String ID: 0-3834685665
    • Opcode ID: 2f994f0b1943a4d57d7120778a8735cb7c85ba9b4d1e138b41e61899d36b3ad5
    • Instruction ID: f951b57c699ba9c3d3e87bba810c357bfa93a6afc99a3226ed515b55e303f84e
    • Opcode Fuzzy Hash: 2f994f0b1943a4d57d7120778a8735cb7c85ba9b4d1e138b41e61899d36b3ad5
    • Instruction Fuzzy Hash: 40F0BBE9108159BAEB289F91C841AF9B3B8DF04710F50806EFD45C7181F6789E91D369
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0071CB19 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0071CA6F: __EH_prolog3_GS.LIBCMT ref: 0071CA76
    • _swprintf.LIBCMT ref: 0071CB52
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: H_prolog3__swprintf
    • String ID: h&t$z%s%02d
    • API String ID: 971793590-2793636128
    • Opcode ID: 519dace7688c6e7a78760fae24d4feb2cecf8cca2f7828df340e4b54d43767cf
    • Instruction ID: 9af9c99df1d9933501e1576e199650beb2854c788f9a7e272f79d588716dca1b
    • Opcode Fuzzy Hash: 519dace7688c6e7a78760fae24d4feb2cecf8cca2f7828df340e4b54d43767cf
    • Instruction Fuzzy Hash: 87F05471A0111CFB9B05EBA8D906DEE73BDDF09710B808116F911AB182DB7C9E4547A5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 007382AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00737956), ref: 007382F5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: CountCriticalInitializeSectionSpin
    • String ID: InitializeCriticalSectionEx$Vys
    • API String ID: 2593887523-2198215079
    • Opcode ID: 470b54bbb30230f70c51f1791ac342c9b388af94feface62e0432c451e6d3376
    • Instruction ID: 314defc1fda74db8e1d98c6f32d0d01f6f01be7ee2cbe41d6c87ca95371f840b
    • Opcode Fuzzy Hash: 470b54bbb30230f70c51f1791ac342c9b388af94feface62e0432c451e6d3376
    • Instruction Fuzzy Hash: FCF0BE7568121CBBDF019F50DC05CAE7F65EF06761F408066FD085A261CF7A8A21DB9A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0072C18D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
    Download Yara Rule
    APIs
    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0072C199
      • Part of subcall function 0072C11B: std::exception::exception.LIBCONCRT ref: 0072C128
      • Part of subcall function 0072DD8A: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,00000000,?,?,0072C18C,?,0074BFA0,?), ref: 0072DDEA
    • ___delayLoadHelper2@8.DELAYIMP ref: 0072C1BF
      • Part of subcall function 0072BDD7: DloadAcquireSectionWriteAccess.DELAYIMP ref: 0072BDE2
      • Part of subcall function 0072BDD7: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0072BE4A
      • Part of subcall function 0072BDD7: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0072BE5B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: AccessDloadExceptionRaiseSectionWrite$AcquireHelper2@8LoadRelease___delaystd::exception::exceptionstd::invalid_argument::invalid_argument
    • String ID: @Ut
    • API String ID: 2834720752-141846247
    • Opcode ID: 4d9b646e666efd93c8c40514bdd7c25b4489dd6e645c96b352beee013ebbcb67
    • Instruction ID: 6ccebe7e9fbeb707249616bcd2d0c06fd81771b319d9d3c8e8ea08d347ba822e
    • Opcode Fuzzy Hash: 4d9b646e666efd93c8c40514bdd7c25b4489dd6e645c96b352beee013ebbcb67
    • Instruction Fuzzy Hash: 81D05BF990411CFE9705B6A4BD1BC7D772CC954700B6084A6F951D1042E7AC691549A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00717B12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(00000000,?,00000064,00000000,00000000,?,?,?,00000000,0000005C,D5FC40FB), ref: 00717B17
    • FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00717B25
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2077168073.0000000000711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00710000, based on PE: true
    • Associated: 00000000.00000002.2077152736.0000000000710000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077193325.0000000000742000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000074E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000757000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.000000000075E000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077209805.0000000000762000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2077267841.000000000076C000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_710000_Kofc4rRZdp.jbxd
    Similarity
    • API ID: FindHandleModuleResource
    • String ID: RTL
    • API String ID: 3537982541-834975271
    • Opcode ID: e230b04611ead21a075f67c4e691a104eb3acae2eb619d1daafc769747268357
    • Instruction ID: 16f35ecb78be605a97b6ecb36fe4f6a35a7f34edde5c4c52ece6a2750663aebb
    • Opcode Fuzzy Hash: e230b04611ead21a075f67c4e691a104eb3acae2eb619d1daafc769747268357
    • Instruction Fuzzy Hash: 69C0127164871156E73017357C4DB832AA45B01711F858545F141DA5D1DBEDD492CBB4
    Uniqueness

    Uniqueness Score: -1.00%

    Execution Graph

    Execution Coverage:28.3%
    Dynamic/Decrypted Code Coverage:100%
    Signature Coverage:9.3%
    Total number of Nodes:43
    Total number of Limit Nodes:9
    execution_graph 1511 962477 1512 9624f5 1511->1512 1512->1511 1513 962570 VirtualProtect 1512->1513 1513->1512 1514 961bc5 1515 961bda 1514->1515 1518 96218e VirtualAlloc 1515->1518 1517 961bfd 1519 96221d 1518->1519 1519->1517 1520 4951000 1524 4951228 1520->1524 1521 49514b1 VirtualProtect VirtualProtect 1521->1524 1522 495179e 1523 49517ed VirtualAlloc 1523->1524 1524->1521 1524->1522 1524->1523 1525 4951748 VirtualProtect 1524->1525 1527 4a79850 1524->1527 1525->1524 1528 4a7988c 1527->1528 1528->1528 1529 4a7a247 1528->1529 1531 4a76f60 1528->1531 1529->1524 1533 4a76fb6 1531->1533 1532 4a78672 1532->1528 1533->1532 1533->1533 1536 4a71440 1533->1536 1543 4a78910 1533->1543 1537 4a714a5 1536->1537 1538 4a75aca 1537->1538 1547 4a769c0 1537->1547 1551 4a76cc0 1537->1551 1555 4a79040 1537->1555 1559 4a76140 1537->1559 1538->1533 1544 4a78996 1543->1544 1545 4a78b18 VirtualFree 1544->1545 1546 4a78b6a 1544->1546 1545->1544 1546->1533 1548 4a76a88 1547->1548 1549 4a76bf8 NtCreateThreadEx 1548->1549 1550 4a76c73 1548->1550 1549->1548 1550->1537 1554 4a76d49 1551->1554 1552 4a76db1 1552->1537 1553 4a76df2 FindCloseChangeNotification 1553->1554 1554->1552 1554->1553 1558 4a79122 1555->1558 1556 4a79359 CreateFileMappingW 1556->1558 1557 4a793c1 1557->1537 1558->1556 1558->1557 1558->1558 1562 4a761ca 1559->1562 1560 4a763fb 1560->1537 1561 4a76272 MapViewOfFile 1561->1562 1562->1560 1562->1561

    Callgraph

    • Executed
    • Not Executed
    • Opacity -> Relevance
    • Disassembly available
    callgraph 0 Function_04955714 1 Function_0096111D 51 Function_0096115B 1->51 2 Function_0096211D 12 Function_00962303 2->12 3 Function_0096411B 4 Function_04951018 5 Function_00964098 6 Function_00961007 7 Function_00962187 8 Function_00964007 9 Function_00964005 10 Function_04951006 11 Function_04A7A6B4 13 Function_04951000 13->0 28 Function_04952FB0 13->28 53 Function_04951858 13->53 66 Function_049551F0 13->66 83 Function_04A79850 13->83 14 Function_04953B80 14->4 23 Function_0495500C 14->23 45 Function_049549D0 14->45 15 Function_04955000 16 Function_00961000 17 Function_04A78DB0 18 Function_04A7A6B0 19 Function_04A76430 20 Function_04A79030 21 Function_0096218E 21->12 44 Function_009626D5 21->44 57 Function_00961447 21->57 84 Function_00961DEF 21->84 22 Function_0096400F 24 Function_0096138C 24->51 55 Function_00961AC7 24->55 25 Function_00961C36 25->51 26 Function_009620B7 27 Function_04951836 29 Function_04952AB2 28->29 41 Function_04955828 28->41 86 Function_04955568 28->86 30 Function_0096113C 30->51 31 Function_00961338 32 Function_00961E24 33 Function_00961AA5 56 Function_009613C7 33->56 34 Function_00961DA3 35 Function_04A78910 36 Function_04A79490 37 Function_04A79410 38 Function_04A71410 39 Function_00961C2C 40 Function_04A7141C 41->86 42 Function_00961A57 43 Function_009612D4 44->42 46 Function_04A76F60 46->35 69 Function_04A71440 46->69 47 Function_04A75AE0 48 Function_04A766E0 49 Function_04A7A760 50 Function_049511DC 52 Function_009616DB 52->51 52->55 52->57 52->84 53->14 53->53 58 Function_04952AC4 53->58 65 Function_04954FF0 53->65 54 Function_00961347 55->25 62 Function_04951842 58->62 59 Function_00961BC5 59->21 59->43 59->52 59->56 85 Function_0096106A 59->85 60 Function_009614C5 61 Function_009610C1 61->51 63 Function_009642CB 64 Function_00962477 64->12 67 Function_009610F0 68 Function_04A76140 69->20 69->68 70 Function_04A79040 69->70 71 Function_04A769C0 69->71 72 Function_04A76CC0 69->72 71->40 73 Function_04A78BC0 74 Function_04A7A6C0 75 Function_0096207E 76 Function_049511FC 77 Function_009630FD 78 Function_009614FA 79 Function_04954FE4 80 Function_009622E5 80->51 81 Function_00962565 82 Function_009610E2 83->46 85->51 87 Function_04955968

    Executed Functions

    Function 04951000 Relevance: 6.4, APIs: 4, Instructions: 424memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 049514CE
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 049514FC
    • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0495177D
    • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 0495180B
    Memory Dump Source
    • Source File: 00000001.00000002.2076391307.0000000004951000.00000020.00001000.00020000.00000000.sdmp, Offset: 04951000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4951000_regsvr32.jbxd
    Similarity
    • API ID: Virtual$Protect$Alloc
    • String ID:
    • API String ID: 2541858876-0
    • Opcode ID: 0bc8ee07a5546a3c43276986cde8fe94f42d4ec68a15947ce53d6279f0dd398b
    • Instruction ID: 3be74e3e1590f39d507d77b753ffd257c2ab0f7640a0844bf67ae82ba1226667
    • Opcode Fuzzy Hash: 0bc8ee07a5546a3c43276986cde8fe94f42d4ec68a15947ce53d6279f0dd398b
    • Instruction Fuzzy Hash: D9025E72E002199FDB18CF69CC41BD9B7F2BF88314F1485AAD519EB654D734AA85CF80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04A79040 Relevance: 1.8, APIs: 1, Instructions: 261COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 195 4a79040-4a79120 196 4a79146-4a7918f 195->196 197 4a79122-4a79144 195->197 198 4a79192-4a79198 196->198 197->196 197->197 199 4a791a2-4a791ab 198->199 200 4a7919a-4a791a0 198->200 201 4a79333-4a7933b 199->201 202 4a791b1-4a791ec 199->202 200->198 203 4a79341-4a79349 201->203 204 4a793e8-4a79400 201->204 205 4a7922c-4a79237 202->205 206 4a793d1-4a793e3 203->206 207 4a7934f-4a79357 203->207 204->198 208 4a791ee-4a79226 205->208 209 4a79239-4a79285 205->209 206->198 210 4a793b3-4a793bb 207->210 211 4a79359-4a793a2 CreateFileMappingW 207->211 208->205 215 4a79288-4a792a8 209->215 210->198 214 4a793c1-4a793d0 210->214 213 4a793a5-4a793ae 211->213 213->198 215->215 216 4a792aa-4a79331 215->216 216->213
    APIs
    • CreateFileMappingW.KERNELBASE(?,?,?,?,?,?), ref: 04A79388
    Memory Dump Source
    • Source File: 00000001.00000002.2076520566.0000000004A71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04A71000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4a71000_regsvr32.jbxd
    Similarity
    • API ID: CreateFileMapping
    • String ID:
    • API String ID: 524692379-0
    • Opcode ID: 6ab722221787e69d894194c5c4c42e3b2d71896f7f4b6b3772e6f58312f379ff
    • Instruction ID: f3051a65c900a8276b7d0e6379e1b734ac76f1382cdce1c3d73523e37a111046
    • Opcode Fuzzy Hash: 6ab722221787e69d894194c5c4c42e3b2d71896f7f4b6b3772e6f58312f379ff
    • Instruction Fuzzy Hash: 28C14C76E00129CBDB24CF59C8806DEB7B2BF98310F15859AD909BB254DB74AE81CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04A76140 Relevance: 1.7, APIs: 1, Instructions: 228fileCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 218 4a76140-4a761c8 219 4a761ca-4a76206 218->219 220 4a76208-4a7624a 218->220 219->219 219->220 221 4a7624e-4a76250 220->221 222 4a76256-4a76260 221->222 223 4a7640e-4a76422 221->223 224 4a76266-4a76270 222->224 225 4a763fb-4a7640b 222->225 223->221 226 4a762c5-4a762cf 224->226 227 4a76272-4a762c0 MapViewOfFile 224->227 229 4a762d5-4a762df 226->229 230 4a763ee 226->230 228 4a763d3-4a763d7 227->228 228->221 231 4a762e5-4a762ef 229->231 232 4a763dc-4a763ec 229->232 233 4a763f2-4a763f6 230->233 231->221 234 4a762f5-4a763cf 231->234 232->233 233->221 234->228
    APIs
    • MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04A762A0
    Memory Dump Source
    • Source File: 00000001.00000002.2076520566.0000000004A71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04A71000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4a71000_regsvr32.jbxd
    Similarity
    • API ID: FileView
    • String ID:
    • API String ID: 3314676101-0
    • Opcode ID: ab7a877ffd79899cc7603fe45b61c1814a440daea63f53cd2ebc209e6ee9fc69
    • Instruction ID: 9a5089c440e869d09c9f8ac1e97ab549d6922381fd9141c952cc5f639d314dda
    • Opcode Fuzzy Hash: ab7a877ffd79899cc7603fe45b61c1814a440daea63f53cd2ebc209e6ee9fc69
    • Instruction Fuzzy Hash: EA81B4326096508FD310CF29C88469FFBE3BFC8320F198959E4949B3A4D774E806CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04A769C0 Relevance: 1.7, APIs: 1, Instructions: 226nativethreadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 237 4a769c0-4a76a86 238 4a76a88-4a76ab4 237->238 238->238 239 4a76ab6-4a76ae6 238->239 240 4a76aec-4a76aef 239->240 241 4a76af1-4a76b06 240->241 242 4a76b08-4a76b0e 240->242 241->240 243 4a76b14-4a76bde call 4a7141c 242->243 244 4a76be0-4a76be8 242->244 253 4a76c5e-4a76c64 243->253 245 4a76cb0-4a76cb6 244->245 246 4a76bee-4a76bf6 244->246 245->240 248 4a76c69-4a76c71 246->248 249 4a76bf8-4a76c5b NtCreateThreadEx 246->249 250 4a76c85-4a76c8d 248->250 251 4a76c73-4a76c82 248->251 249->253 250->240 254 4a76c93-4a76cab 250->254 253->240 254->240
    APIs
    • NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 04A76C44
    Memory Dump Source
    • Source File: 00000001.00000002.2076520566.0000000004A71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04A71000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4a71000_regsvr32.jbxd
    Similarity
    • API ID: CreateThread
    • String ID:
    • API String ID: 2422867632-0
    • Opcode ID: 537b1be1b2e84878ef3fe60934e0b74becee2addf5d73403542023327351b549
    • Instruction ID: f77781c85b7690fcfe35ae1fa3849c58c0a2a2cd55695fa0d0fc38a886b3bd60
    • Opcode Fuzzy Hash: 537b1be1b2e84878ef3fe60934e0b74becee2addf5d73403542023327351b549
    • Instruction Fuzzy Hash: BC917C76E006188FCB24CF69C841ADEBBB6FF88320F158199D519AB355DB31AD46CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04A76CC0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 257 4a76cc0-4a76d44 258 4a76d49-4a76d63 257->258 258->258 259 4a76d65-4a76d97 258->259 260 4a76d9b-4a76d9d 259->260 261 4a76d9f-4a76da3 260->261 262 4a76da8-4a76daf 260->262 263 4a76f53-4a76f57 261->263 264 4a76dc2-4a76dcc 262->264 265 4a76db1-4a76dc1 262->265 263->260 266 4a76de6-4a76df0 264->266 267 4a76dce-4a76de1 264->267 268 4a76df2-4a76e28 FindCloseChangeNotification 266->268 269 4a76e2d-4a76e37 266->269 267->263 270 4a76f26-4a76f2a 268->270 271 4a76f2f-4a76f39 269->271 272 4a76e3d-4a76f22 269->272 270->260 271->260 273 4a76f3f-4a76f4f 271->273 272->270 273->263
    APIs
    • FindCloseChangeNotification.KERNELBASE(?), ref: 04A76E0C
    Memory Dump Source
    • Source File: 00000001.00000002.2076520566.0000000004A71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04A71000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4a71000_regsvr32.jbxd
    Similarity
    • API ID: ChangeCloseFindNotification
    • String ID:
    • API String ID: 2591292051-0
    • Opcode ID: cfdd9022297cde4a78b5dc8bb0d26ac1c81bb3a7edd0609dfc727c5b2bc2bfbe
    • Instruction ID: 35d4fd743e8a147215a8ed977e975f5343195a706fa55d59a3d96ba9838cf81b
    • Opcode Fuzzy Hash: cfdd9022297cde4a78b5dc8bb0d26ac1c81bb3a7edd0609dfc727c5b2bc2bfbe
    • Instruction Fuzzy Hash: CB719E76618B118FC314CF29C98062AF7E2FBC8320F1A8A6DE4959B394D774F845CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 04A78910 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 276 4a78910-4a78993 277 4a78996-4a789bf 276->277 277->277 278 4a789c1-4a78a07 277->278 279 4a78a0b-4a78a0d 278->279 280 4a78a13-4a78adc 279->280 281 4a78ae1-4a78aeb 279->281 280->279 282 4a78ba3-4a78bb5 281->282 283 4a78af1-4a78afb 281->283 284 4a78bb7-4a78bbb 282->284 286 4a78b01-4a78b0b 283->286 287 4a78b9d-4a78ba1 283->287 284->279 288 4a78b80-4a78b98 286->288 289 4a78b0d-4a78b16 286->289 287->284 288->279 291 4a78b5a-4a78b64 289->291 292 4a78b18-4a78b55 VirtualFree 289->292 291->279 293 4a78b6a-4a78b7d 291->293 292->279
    APIs
    • VirtualFree.KERNELBASE(?,?,?), ref: 04A78B3C
    Memory Dump Source
    • Source File: 00000001.00000002.2076520566.0000000004A71000.00000020.00001000.00020000.00000000.sdmp, Offset: 04A71000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_4a71000_regsvr32.jbxd
    Similarity
    • API ID: FreeVirtual
    • String ID:
    • API String ID: 1263568516-0
    • Opcode ID: a2e1137750f0f6d465f5da4117e84bfb0b5eaaba48c13b3ab895e7976f072736
    • Instruction ID: 85810a49012378ee0b0ffa9ddcfe5723e6bc59c45cef28c8e7bf7f8872cae5dd
    • Opcode Fuzzy Hash: a2e1137750f0f6d465f5da4117e84bfb0b5eaaba48c13b3ab895e7976f072736
    • Instruction Fuzzy Hash: B4719E726083518FC724DF29C99466FB7E2BFC8310F168A2EE495D7394D674E806CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00962477 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 94memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 140 962477-9624ef 141 9624f5 140->141 142 9626a2-9626ca 140->142 145 962570-9625d5 VirtualProtect 141->145 143 9624f7-962560 call 962303 142->143 144 9626d0 142->144 143->145 144->140 145->142
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000001.00000002.2076024678.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_960000_regsvr32.jbxd
    Similarity
    • API ID: ProtectVirtual
    • String ID: `
    • API String ID: 544645111-2679148245
    • Opcode ID: 26567fb04521bdaca77a6b4d998c007b2ebf4d8cc87699eb693bc4fbf094c240
    • Instruction ID: 1f3d35a5c1980d52cb8fc71b552a6fb24ad28c8f10b17da3dce551d86617a6f4
    • Opcode Fuzzy Hash: 26567fb04521bdaca77a6b4d998c007b2ebf4d8cc87699eb693bc4fbf094c240
    • Instruction Fuzzy Hash: 2B41ADB5E006288FDB54CF09C980B89BBF1FF88300F15819AC949AB356D735AE81CF91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0096218E Relevance: 1.3, APIs: 1, Instructions: 85memoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 294 96218e-962253 VirtualAlloc call 9626d5 call 962303 299 962255-96226c 294->299 300 96226f-9622e4 call 961447 call 961def 294->300 299->300
    APIs
    Memory Dump Source
    • Source File: 00000001.00000002.2076024678.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_1_2_960000_regsvr32.jbxd
    Similarity
    • API ID: AllocVirtual
    • String ID:
    • API String ID: 4275171209-0
    • Opcode ID: 7abe5941ddb8d6437af1a035234398983b5f0371bd5dce2b9c50ded6af9b63a6
    • Instruction ID: dbdcabe84b3352c6528905f5b41d9af376880ef892633f8fe67e0737cc7e23ef
    • Opcode Fuzzy Hash: 7abe5941ddb8d6437af1a035234398983b5f0371bd5dce2b9c50ded6af9b63a6
    • Instruction Fuzzy Hash: 2841F1B09002058FCB04DFA8C1547AEBBF0FF48308F24846ED858AB341D37AA946CF95
    Uniqueness

    Uniqueness Score: -1.00%