Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
init_DB.exe

Overview

General Information

Sample name:init_DB.exe
Analysis ID:1430160
MD5:f2663571882c3baa5633db216443cc0a
SHA1:85a1283578cef91b29c155c8179733332d48b7c9
SHA256:de3dfcb68228e7f64f30e64980ad8da6629da73b10d5172762aba76721372b7c
Infos:

Detection

Babadeda
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Babadeda
Machine Learning detection for sample
Contains functionality to dynamically determine API calls
Detected potential crypto function
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • init_DB.exe (PID: 1344 cmdline: "C:\Users\user\Desktop\init_DB.exe" MD5: F2663571882C3BAA5633DB216443CC0A)
    • conhost.exe (PID: 4564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6784 cmdline: "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
BabadedaAccording to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
init_DB.exeJoeSecurity_BabadedaYara detected BabadedaJoe Security

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.0.init_DB.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security
      0.2.init_DB.exe.400000.0.unpackJoeSecurity_BabadedaYara detected BabadedaJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: init_DB.exeReversingLabs: Detection: 50%
        Source: init_DB.exeVirustotal: Detection: 39%Perma Link
        Machine Learning detection for sample
        Source: init_DB.exeJoe Sandbox ML: detected
        Source: init_DB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Temp\1413.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_004110790_2_00411079
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00411C200_2_00411C20
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_004110330_2_00411033
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00410C800_2_00410C80
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00410CA00_2_00410CA0
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_0040B9C70_2_0040B9C7
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_0040FA680_2_0040FA68
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_0040CF180_2_0040CF18
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_0040EFF00_2_0040EFF0
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00410FB00_2_00410FB0
        Source: init_DB.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        Source: classification engineClassification label: mal60.troj.winEXE@4/1@0/0
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00402664 LoadResource,SizeofResource,FreeResource,0_2_00402664
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4564:120:WilError_03
        Source: C:\Users\user\Desktop\init_DB.exeFile created: C:\Users\user\AppData\Local\Temp\1413.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"
        Source: C:\Users\user\Desktop\init_DB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: init_DB.exeReversingLabs: Detection: 50%
        Source: init_DB.exeVirustotal: Detection: 39%
        Source: unknownProcess created: C:\Users\user\Desktop\init_DB.exe "C:\Users\user\Desktop\init_DB.exe"
        Source: C:\Users\user\Desktop\init_DB.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\init_DB.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"
        Source: C:\Users\user\Desktop\init_DB.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior

        Data Obfuscation

        barindex
        Yara detected Babadeda
        Source: Yara matchFile source: init_DB.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.init_DB.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.init_DB.exe.400000.0.unpack, type: UNPACKEDPE
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0040ADD6
        Source: init_DB.exeStatic PE information: section name: .code
        Source: C:\Users\user\Desktop\init_DB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Temp\1413.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeFile opened: C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.tmpJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary,0_2_0040ADD6
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00409FD0 SetUnhandledExceptionFilter,0_2_00409FD0
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00409FB0
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\init_DB.exeCode function: 0_2_00405573 GetVersionExW,GetVersionExW,0_2_00405573

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts1
        Native API        		1
        Scripting        		1
        Process Injection        		1
        Process Injection        		OS Credential Dumping1
        File and Directory Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		LSASS Memory12
        System Information Discovery        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430160 Sample: init_DB.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 60 12 Multi AV Scanner detection for submitted file 2->12 14 Yara detected Babadeda 2->14 16 Machine Learning detection for sample 2->16 6 init_DB.exe 8 2->6         started        process3 process4 8 cmd.exe 1 6->8         started        10 conhost.exe 6->10         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        init_DB.exe50%ReversingLabsWin32.Trojan.RealProtect
        init_DB.exe39%VirustotalBrowse
        init_DB.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        World Map of Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1430160
        Start date and time:2024-04-23 08:21:25 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 2m 1s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:4
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:init_DB.exe
        Detection:MAL
        Classification:mal60.troj.winEXE@4/1@0/0
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 30
        • Number of non-executed functions: 53
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe
        • Not all processes where analyzed, report is missing behavior information

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat

        Download File
        Process:C:\Users\user\Desktop\init_DB.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):525
        Entropy (8bit):5.497029541798505
        Encrypted:false
        SSDEEP:12:NSN1IX9Cyt0yuSu9Cyt0/n2PaBt2am79Cyt0PbA1:QNmEyJuKy2nVNyqbA1
        MD5:9F4583205CE0445E8C1C1825A610C67E
        SHA1:4D7D01983E56BC441649C85619AE85C6AB76FEEE
        SHA-256:523A531AC2645B757AFAD7FE4A60F85F21B369B070DEBC794B64EF7A8D4D8606
        SHA-512:F02A77943A5A619A2924EEF1287DB454178836CDFA6626EBBA0C6166B04B18D3D486DDCCE9EE0D64B42D596D5D4CC5F47A8003A2EA7A093F47DCF6C50F15DCC4
        Malicious:false
        Reputation:low
        Preview:@shift /0..@echo off..echo %1..cd %1..setlocal..set PGPASSWORD=1qaz@WSX.."C:\Program Files\PostgreSQL\14.2\bin\psql" -U postgres -c "CREATE USER admin PASSWORD 'lgeuser' SUPERUSER"...."C:\Program Files\PostgreSQL\14.2\bin\psql" -U postgres -c "CREATE DATABASE sscdb WITH OWNER admin TEMPLATE template0 ENCODING 'UTF8' TABLESPACE pg_default LC_COLLATE 'Korean_Korea.949' LC_CTYPE 'Korean_Korea.949' CONNECTION LIMIT -1"...."C:\Program Files\PostgreSQL\14.2\bin\psql" -U postgres -d sscdb -f create_tables.sql....endlocal....

        Static File Info

        General

        File type:PE32 executable (console) Intel 80386, for MS Windows
        Entropy (8bit):6.6912976821659225
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.94%
        • Win16/32 Executable Delphi generic (2074/23) 0.02%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • VXD Driver (31/22) 0.00%
        File name:init_DB.exe
        File size:91'648 bytes
        MD5:f2663571882c3baa5633db216443cc0a
        SHA1:85a1283578cef91b29c155c8179733332d48b7c9
        SHA256:de3dfcb68228e7f64f30e64980ad8da6629da73b10d5172762aba76721372b7c
        SHA512:de33378c6653c1a485ed9b64f31e3b0c35f8a6ff0a13fab25a264e08764d583294aea5031c881b0672379d627004a39838fda5021bbbe26f23dd7ffb8523c98d
        SSDEEP:1536:L7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfQwObOE:H7DhdC6kzWypvaQ0FxyNTBfQt7
        TLSH:8B936D41F3E202F7E6F1093100A6726F973663389764A8EBC74C2D529913AD5A63D3F9
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].@]...............2.....N...............0....@........................................................................

        File Icon

        Icon Hash:00928e8e8686b000

        Static PE Info

        General

        Entrypoint:0x401000
        Entrypoint Section:.code
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows cui
        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
        DLL Characteristics:
        Time Stamp:0x5D40055D [Tue Jul 30 08:52:45 2019 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:2c5f2513605e48f2d8ea5440a870cb9e

        Entrypoint Preview

        Instruction
        push 000000ACh
        push 00000000h
        push 00418068h
        call 00007F0618CD1871h
        add esp, 0Ch
        push 00000000h
        call 00007F0618CD186Ah
        mov dword ptr [0041806Ch], eax
        push 00000000h
        push 00001000h
        push 00000000h
        call 00007F0618CD1857h
        mov dword ptr [00418068h], eax
        call 00007F0618CD17D1h
        mov eax, 0041707Ch
        mov dword ptr [0041808Ch], eax
        call 00007F0618CDAC92h
        call 00007F0618CDA9FAh
        call 00007F0618CD78D8h
        call 00007F0618CD715Ch
        call 00007F0618CD6BEFh
        call 00007F0618CD6969h
        call 00007F0618CD5E0Dh
        call 00007F0618CD558Dh
        call 00007F0618CD1B4Fh
        call 00007F0618CD9558h
        call 00007F0618CD8000h
        mov edx, 0041702Eh
        lea ecx, dword ptr [00418074h]
        call 00007F0618CD17E8h
        push FFFFFFF5h
        call 00007F0618CD17F8h
        mov dword ptr [00418094h], eax
        mov eax, 00000200h
        push eax
        lea eax, dword ptr [00418110h]
        push eax
        xor eax, eax
        push eax
        push 00000015h
        push 00000004h
        call 00007F0618CD6BB2h
        push dword ptr [004180F8h]

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x1716c0xc8.data
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x190000x6a8.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0x174700x23c.data
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .code0x10000x387e0x3a0046da2c5018752470fd3127bf22d63b95False0.4595231681034483data5.529218938453912IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .text0x50000xd9620xda00e1a026e66953c410d7f60b1f1e3c560fFalse0.5144244552752294data6.56248809649253IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x130000x33a50x3400a16842a34a5da6feda9533bb3e83c3c1False0.8049128605769231data7.111835561466389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x170000x178c0x1200b8d2c33fe7529ab5e5d04132840353fcFalse0.4034288194444444data5.102881096041178IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .rsrc0x190000x6a80x80051b78f57564a87e08db6640d9b15ab8aFalse0.60009765625data6.2282124161046815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_RCDATA0x1921c0x1very short file (no magic)9.0
        RT_RCDATA0x192200xezlib compressed data1.5714285714285714
        RT_RCDATA0x192300x203data1.021359223300971
        RT_RCDATA0x194340x10data1.5625
        RT_MANIFEST0x194440x263XML 1.0 document, ASCII text0.5319148936170213

        Imports

        DLLImport
        MSVCRT.dllmemset, wcsncmp, memmove, wcsncpy, wcsstr, _wcsnicmp, _wcsdup, free, _wcsicmp, wcslen, wcscpy, wcscmp, wcscat, memcpy, tolower, malloc
        KERNEL32.dllGetModuleHandleW, HeapCreate, GetStdHandle, SetConsoleCtrlHandler, HeapDestroy, ExitProcess, WriteFile, GetTempFileNameW, LoadLibraryExW, EnumResourceTypesW, FreeLibrary, RemoveDirectoryW, EnumResourceNamesW, GetCommandLineW, LoadResource, SizeofResource, FreeResource, FindResourceW, GetNativeSystemInfo, GetShortPathNameW, GetWindowsDirectoryW, GetSystemDirectoryW, EnterCriticalSection, CloseHandle, LeaveCriticalSection, InitializeCriticalSection, WaitForSingleObject, TerminateThread, CreateThread, GetProcAddress, GetVersionExW, Sleep, WideCharToMultiByte, HeapAlloc, HeapFree, LoadLibraryW, GetCurrentProcessId, GetCurrentThreadId, GetModuleFileNameW, PeekNamedPipe, TerminateProcess, GetEnvironmentVariableW, SetEnvironmentVariableW, GetCurrentProcess, DuplicateHandle, CreatePipe, CreateProcessW, GetExitCodeProcess, SetUnhandledExceptionFilter, HeapSize, MultiByteToWideChar, CreateDirectoryW, SetFileAttributesW, GetTempPathW, DeleteFileW, GetCurrentDirectoryW, SetCurrentDirectoryW, CreateFileW, SetFilePointer, TlsFree, TlsGetValue, TlsSetValue, TlsAlloc, HeapReAlloc, DeleteCriticalSection, InterlockedCompareExchange, InterlockedExchange, GetLastError, SetLastError, UnregisterWait, GetCurrentThread, RegisterWaitForSingleObject
        USER32.DLLCharUpperW, CharLowerW, MessageBoxW, DefWindowProcW, DestroyWindow, GetWindowLongW, GetWindowTextLengthW, GetWindowTextW, UnregisterClassW, LoadIconW, LoadCursorW, RegisterClassExW, IsWindowEnabled, EnableWindow, GetSystemMetrics, CreateWindowExW, SetWindowLongW, SendMessageW, SetFocus, CreateAcceleratorTableW, SetForegroundWindow, BringWindowToTop, GetMessageW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, DestroyAcceleratorTable, PostMessageW, GetForegroundWindow, GetWindowThreadProcessId, IsWindowVisible, EnumWindows, SetWindowPos
        GDI32.DLLGetStockObject
        COMCTL32.DLLInitCommonControlsEx
        SHELL32.DLLShellExecuteExW, SHGetFolderLocation, SHGetPathFromIDListW
        WINMM.DLLtimeBeginPeriod
        OLE32.DLLCoInitialize, CoTaskMemFree
        SHLWAPI.DLLPathAddBackslashW, PathRenameExtensionW, PathQuoteSpacesW, PathRemoveArgsW, PathRemoveBackslashW

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:08:22:13
        Start date:23/04/2024
        Path:C:\Users\user\Desktop\init_DB.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\Desktop\init_DB.exe"
        Imagebase:0x400000
        File size:91'648 bytes
        MD5 hash:F2663571882C3BAA5633DB216443CC0A
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true

        General

        Target ID:2
        Start time:08:22:13
        Start date:23/04/2024
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff6ee680000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:3
        Start time:08:22:13
        Start date:23/04/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\1413.tmp\1414.tmp\1415.bat C:\Users\user\Desktop\init_DB.exe"
        Imagebase:0x7ff662c30000
        File size:289'792 bytes
        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        Disassembly

        Reset < >

          Execution Graph

          Execution Coverage:13.1%
          Dynamic/Decrypted Code Coverage:0%
          Signature Coverage:1.7%
          Total number of Nodes:2000
          Total number of Limit Nodes:34
          execution_graph 10538 401f4c 10539 40e660 21 API calls 10538->10539 10540 401f54 10539->10540 10561 40e520 GetLastError TlsGetValue SetLastError 10540->10561 10542 401f5a 10562 40e520 GetLastError TlsGetValue SetLastError 10542->10562 10544 401f6b 10545 40e6c0 4 API calls 10544->10545 10546 401f73 10545->10546 10563 40e520 GetLastError TlsGetValue SetLastError 10546->10563 10548 401f79 10564 40e520 GetLastError TlsGetValue SetLastError 10548->10564 10550 401f81 10565 40a190 10550->10565 10554 401f8e 10569 405182 TlsGetValue 10554->10569 10556 401f99 10557 408e27 20 API calls 10556->10557 10558 401fa2 10557->10558 10559 4051a0 3 API calls 10558->10559 10560 401fa7 10559->10560 10560->10560 10561->10542 10562->10544 10563->10548 10564->10550 10570 40a120 10565->10570 10568 40e720 TlsGetValue 10568->10554 10569->10556 10571 40a130 10570->10571 10571->10571 10572 40e900 3 API calls 10571->10572 10573 401f88 10572->10573 10573->10568 10574 4020ce 10575 40e660 21 API calls 10574->10575 10576 4020d4 10575->10576 10581 402145 10576->10581 10587 4098c0 EnterCriticalSection 10576->10587 10578 402112 10579 40213b 10578->10579 10582 4098f7 2 API calls 10578->10582 10580 401fba 36 API calls 10579->10580 10580->10581 10583 402121 10582->10583 10584 402130 10583->10584 10590 40993e TerminateProcess 10583->10590 10586 40994f 7 API calls 10584->10586 10586->10579 10588 4098df 10587->10588 10589 4098e9 LeaveCriticalSection 10588->10589 10589->10578 10590->10584 7483 4011d0 7510 405373 EnterCriticalSection 7483->7510 7485 4011d5 7496 409fd0 SetUnhandledExceptionFilter 7485->7496 7487 4011da 7497 40ad35 7487->7497 7493 4011e9 7509 40a1b0 HeapDestroy 7493->7509 7495 4011ee 7496->7487 7498 4011df 7497->7498 7499 40ad3e 7497->7499 7501 40b110 7498->7501 7516 40e075 7499->7516 7502 40e075 2 API calls 7501->7502 7503 4011e4 7502->7503 7504 40d944 7503->7504 7505 40d951 7504->7505 7506 40d952 7504->7506 7505->7493 7507 40d967 7506->7507 7508 40d95b TlsFree 7506->7508 7507->7493 7508->7507 7509->7495 7511 405389 7510->7511 7512 4053ac LeaveCriticalSection 7510->7512 7513 40538a CloseHandle 7511->7513 7515 4053ab 7511->7515 7512->7485 7527 40e1b2 7513->7527 7515->7512 7517 40e082 7516->7517 7518 40e09e 7516->7518 7522 40e19b EnterCriticalSection 7517->7522 7518->7498 7521 40e088 7521->7518 7523 40e144 7521->7523 7522->7521 7525 40e150 7523->7525 7524 40e194 7524->7521 7525->7524 7526 40e18a LeaveCriticalSection 7525->7526 7526->7524 7528 40e1c3 HeapFree 7527->7528 7528->7511 7530 401000 memset GetModuleHandleW HeapCreate 7531 401044 7530->7531 7580 40e4d0 HeapCreate TlsAlloc 7531->7580 7533 401053 7583 40b120 7533->7583 7535 40105d 7586 40a1c0 HeapCreate 7535->7586 7537 40106c 7587 409669 7537->7587 7539 401071 7592 408dee memset InitCommonControlsEx CoInitialize 7539->7592 7541 401076 7593 4053b5 InitializeCriticalSection 7541->7593 7543 40107b 7594 405068 7543->7594 7552 40aa5a 16 API calls 7553 4010f4 7552->7553 7554 40a9c8 13 API calls 7553->7554 7555 40110f 7554->7555 7625 40e266 7555->7625 7557 40112d 7558 405068 4 API calls 7557->7558 7559 40113d 7558->7559 7560 40aa5a 16 API calls 7559->7560 7561 401148 7560->7561 7562 40a9c8 13 API calls 7561->7562 7563 401163 SetConsoleCtrlHandler 7562->7563 7631 409fb0 7563->7631 7565 401180 7637 40e520 GetLastError TlsGetValue SetLastError 7565->7637 7567 401186 7638 402eed 7567->7638 7571 401197 7663 401ba0 7571->7663 7574 4011ac 7770 403f53 7574->7770 8062 40ed40 HeapAlloc HeapAlloc TlsSetValue 7580->8062 7582 40e4f7 7582->7533 8063 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 7583->8063 7585 40b12e 7585->7535 7586->7537 8064 40d9d3 7587->8064 7591 409687 InitializeCriticalSection 7591->7539 7592->7541 7593->7543 8076 40e7d0 7594->8076 7596 401095 GetStdHandle 7597 40a460 7596->7597 8083 40a54f 7597->8083 7600 4010c3 7609 40aa5a 7600->7609 7601 40a48b 7602 40a494 7601->7602 7603 40a497 HeapAlloc 7601->7603 7602->7603 7604 40a513 HeapFree 7603->7604 7606 40a4ae 7603->7606 7605 40a524 7604->7605 7605->7600 8094 40de99 7606->8094 7610 40aa63 7609->7610 7611 4010ce 7609->7611 8163 40ab16 7610->8163 7620 40a9c8 HeapAlloc 7611->7620 7614 40dfc6 9 API calls 7616 40aa73 7614->7616 7615 40aaa0 7617 40aab3 HeapFree 7615->7617 7618 40aaa7 HeapFree 7615->7618 7616->7615 7619 40aa8e HeapFree 7616->7619 7617->7611 7618->7617 7619->7615 7619->7619 7621 40a9e7 HeapAlloc 7620->7621 7622 40a9fc 7620->7622 7621->7622 7623 40de99 11 API calls 7622->7623 7624 4010e9 7623->7624 7624->7552 8170 40e3b9 7625->8170 7628 40e283 RtlAllocateHeap 7629 40e2a2 memset 7628->7629 7630 40e2e6 7628->7630 7629->7630 7630->7557 7632 40a0d0 7631->7632 7633 40a0d8 7632->7633 7634 40a0fa SetUnhandledExceptionFilter 7632->7634 7635 40a0e1 SetUnhandledExceptionFilter 7633->7635 7636 40a0eb SetUnhandledExceptionFilter 7633->7636 7634->7565 7635->7636 7636->7565 7637->7567 8176 40e660 7638->8176 7642 402f02 8191 40e520 GetLastError TlsGetValue SetLastError 7642->8191 7644 402f57 8192 40e520 GetLastError TlsGetValue SetLastError 7644->8192 7646 402f5f 8193 40e520 GetLastError TlsGetValue SetLastError 7646->8193 7648 402f67 8194 40e520 GetLastError TlsGetValue SetLastError 7648->8194 7650 402f6f 8195 40d7a0 7650->8195 7654 402f8a 8200 405eb0 7654->8200 7656 402f92 8210 405170 TlsGetValue 7656->8210 7658 40118d 7659 40e560 TlsGetValue 7658->7659 7660 40e5a6 RtlReAllocateHeap 7659->7660 7661 40e589 RtlAllocateHeap 7659->7661 7662 40e5c7 7660->7662 7661->7662 7662->7571 7664 40e660 21 API calls 7663->7664 7665 401baf 7664->7665 8235 40e520 GetLastError TlsGetValue SetLastError 7665->8235 7667 401bb5 8236 40e520 GetLastError TlsGetValue SetLastError 7667->8236 7669 401bc7 8237 40e520 GetLastError TlsGetValue SetLastError 7669->8237 7671 401bcf 8238 409698 7671->8238 7675 401bdb LoadLibraryExW 7676 4051a0 3 API calls 7675->7676 7677 401be8 EnumResourceTypesW FreeLibrary 7676->7677 7696 401c13 7677->7696 7678 401e27 7678->7678 7679 401cb1 7680 40ab16 4 API calls 7679->7680 7681 401cbc 7680->7681 8246 40e520 GetLastError TlsGetValue SetLastError 7681->8246 7683 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7683->7696 7684 401cc2 8247 40e520 GetLastError TlsGetValue SetLastError 7684->8247 7686 401cca 8248 40e520 GetLastError TlsGetValue SetLastError 7686->8248 7688 401cd2 8249 40e520 GetLastError TlsGetValue SetLastError 7688->8249 7690 401cda 8250 40e520 GetLastError TlsGetValue SetLastError 7690->8250 7691 40e520 GetLastError TlsGetValue SetLastError 7691->7696 7693 401ce7 8251 40e520 GetLastError TlsGetValue SetLastError 7693->8251 7695 401cef 8252 405e10 7695->8252 7696->7678 7696->7679 7696->7683 7696->7691 7698 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7696->7698 7698->7696 7701 401cff 8261 40d780 7701->8261 7705 401d0c 7706 405eb0 6 API calls 7705->7706 7707 401d14 7706->7707 7708 40e560 3 API calls 7707->7708 7709 401d1e 7708->7709 8265 40e520 GetLastError TlsGetValue SetLastError 7709->8265 7711 401d28 8266 40e6c0 7711->8266 7713 401d30 7714 40e560 3 API calls 7713->7714 7715 401d3a 7714->7715 8271 40e520 GetLastError TlsGetValue SetLastError 7715->8271 7717 401d40 8272 40e520 GetLastError TlsGetValue SetLastError 7717->8272 7719 401d48 8273 40e520 GetLastError TlsGetValue SetLastError 7719->8273 7721 401d50 8274 40e520 GetLastError TlsGetValue SetLastError 7721->8274 7723 401d58 7724 40d780 8 API calls 7723->7724 7725 401d68 7724->7725 8275 405182 TlsGetValue 7725->8275 7727 401d6d 7728 405eb0 6 API calls 7727->7728 7729 401d75 7728->7729 7730 40e560 3 API calls 7729->7730 7731 401d7f 7730->7731 8276 40e520 GetLastError TlsGetValue SetLastError 7731->8276 7733 401d85 8277 40e520 GetLastError TlsGetValue SetLastError 7733->8277 7735 401d8d 8278 405f20 7735->8278 7737 401d9d 7738 40e560 3 API calls 7737->7738 7739 401da7 7738->7739 7739->7678 8286 40985e 7739->8286 7742 401e23 7744 40e5f0 HeapFree 7742->7744 7746 401e3c 7744->7746 7745 401dc6 8292 40e520 GetLastError TlsGetValue SetLastError 7745->8292 7748 40e5f0 HeapFree 7746->7748 7751 401e45 7748->7751 7749 401dce 8293 409872 7749->8293 7753 40e5f0 HeapFree 7751->7753 7755 401e4e 7753->7755 7757 40e5f0 HeapFree 7755->7757 7756 401ddf 8303 405160 7756->8303 7759 401e57 7757->7759 7760 40e5f0 HeapFree 7759->7760 7761 40119c 7760->7761 7761->7574 7945 402fad 7761->7945 7762 401dea 7762->7742 8306 40e520 GetLastError TlsGetValue SetLastError 7762->8306 7764 401e03 8307 40e520 GetLastError TlsGetValue SetLastError 7764->8307 7766 401e0b 7767 409872 21 API calls 7766->7767 7768 401e17 7767->7768 7769 40e560 3 API calls 7768->7769 7769->7742 7771 403f59 7770->7771 7771->7771 7772 40e660 21 API calls 7771->7772 7788 403f6b 7772->7788 7773 40e520 GetLastError TlsGetValue SetLastError 7773->7788 7774 40e520 GetLastError TlsGetValue SetLastError 7794 403fec 7774->7794 7775 405dc0 3 API calls 7775->7788 7776 405dc0 3 API calls 7776->7794 7777 40e520 GetLastError TlsGetValue SetLastError 7789 40406d 7777->7789 7778 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7778->7788 7779 405dc0 3 API calls 7779->7789 7780 40e520 GetLastError TlsGetValue SetLastError 7795 4040ee 7780->7795 7781 40e520 GetLastError TlsGetValue SetLastError 7790 40416f 7781->7790 7782 405dc0 3 API calls 7782->7795 7783 40e520 GetLastError TlsGetValue SetLastError 7796 4041f0 7783->7796 7784 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7784->7788 7785 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7785->7794 7787 40e520 GetLastError TlsGetValue SetLastError 7791 404275 7787->7791 7788->7773 7788->7775 7788->7778 7788->7784 7788->7794 7789->7777 7789->7779 7789->7795 7800 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7789->7800 7809 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7789->7809 7790->7781 7790->7796 7812 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7790->7812 7818 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7790->7818 8339 405dc0 7790->8339 7791->7787 7797 4042fa 7791->7797 7803 405dc0 3 API calls 7791->7803 7805 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7791->7805 7819 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7791->7819 7792 405dc0 3 API calls 7792->7796 7793 404404 8342 40e520 GetLastError TlsGetValue SetLastError 7793->8342 7794->7774 7794->7776 7794->7785 7794->7789 7799 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7794->7799 7795->7780 7795->7782 7795->7790 7801 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7795->7801 7811 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7795->7811 7796->7783 7796->7791 7796->7792 7802 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7796->7802 7813 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7796->7813 7806 405dc0 3 API calls 7797->7806 7814 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7797->7814 7820 40e520 GetLastError TlsGetValue SetLastError 7797->7820 7826 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7797->7826 7833 40437f 7797->7833 7799->7794 7800->7789 7801->7795 7802->7796 7803->7791 7804 404410 7808 40e6c0 4 API calls 7804->7808 7805->7791 7806->7797 7807 40e520 GetLastError TlsGetValue SetLastError 7807->7833 7810 404418 7808->7810 7809->7789 7816 40e6c0 4 API calls 7810->7816 7811->7795 7812->7790 7813->7796 7814->7797 7815 405dc0 3 API calls 7815->7833 7817 404422 7816->7817 7822 40e560 3 API calls 7817->7822 7818->7790 7819->7791 7820->7797 7821 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 7821->7833 7823 40442e 7822->7823 8343 40e520 GetLastError TlsGetValue SetLastError 7823->8343 7825 404434 8344 403221 7825->8344 7826->7797 7827 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 7827->7833 7830 40e560 3 API calls 7831 40444d 7830->7831 7832 40985e 17 API calls 7831->7832 7834 404452 GetModuleHandleW 7832->7834 7833->7793 7833->7807 7833->7815 7833->7821 7833->7827 8437 40e520 GetLastError TlsGetValue SetLastError 7834->8437 7836 40446b 8438 40e520 GetLastError TlsGetValue SetLastError 7836->8438 7838 404473 8439 40e520 GetLastError TlsGetValue SetLastError 7838->8439 7840 40447b 8440 40e520 GetLastError TlsGetValue SetLastError 7840->8440 7842 404483 7843 40d780 8 API calls 7842->7843 7844 404495 7843->7844 8441 405182 TlsGetValue 7844->8441 7846 40449a 7847 405eb0 6 API calls 7846->7847 7848 4044a2 7847->7848 7849 40e560 3 API calls 7848->7849 7850 4044ac 7849->7850 8442 40e520 GetLastError TlsGetValue SetLastError 7850->8442 7852 4044b2 8443 40e520 GetLastError TlsGetValue SetLastError 7852->8443 7854 4044ba 8444 40e520 GetLastError TlsGetValue SetLastError 7854->8444 7856 4044c2 8445 40e520 GetLastError TlsGetValue SetLastError 7856->8445 7858 4044ca 7859 40d780 8 API calls 7858->7859 7860 4044da 7859->7860 8446 405182 TlsGetValue 7860->8446 7862 4044df 7863 405eb0 6 API calls 7862->7863 7864 4044e7 7863->7864 7865 40e560 3 API calls 7864->7865 7866 4044f1 7865->7866 8447 402e49 7866->8447 7870 404504 8464 402150 7870->8464 7873 4051a0 3 API calls 7874 404514 7873->7874 8580 40196c 7874->8580 7880 404528 8671 403539 7880->8671 7883 40e560 3 API calls 7884 40454e PathRemoveBackslashW 7883->7884 7885 404562 7884->7885 8799 40e520 GetLastError TlsGetValue SetLastError 7885->8799 7887 404568 8800 40e520 GetLastError TlsGetValue SetLastError 7887->8800 7889 404570 8801 402ba6 7889->8801 7893 404582 8831 405182 TlsGetValue 7893->8831 7895 40458b 8832 4099a5 7895->8832 7898 4051a0 3 API calls 7899 404599 7898->7899 8836 40e520 GetLastError TlsGetValue SetLastError 7899->8836 7901 4045a5 7902 40e6c0 4 API calls 7901->7902 7903 4045ad 7902->7903 7904 40e6c0 4 API calls 7903->7904 7905 4045b9 7904->7905 7906 40e560 3 API calls 7905->7906 7907 4045c5 7906->7907 8837 403801 7907->8837 7911 4045d0 9031 401e66 7911->9031 7914 40e560 3 API calls 7915 4045e5 7914->7915 7916 4045f0 7915->7916 7917 404608 7915->7917 9177 40548c CreateThread 7916->9177 9187 402c55 7917->9187 7921 404611 9077 403c83 7921->9077 7946 40e660 21 API calls 7945->7946 7947 402fba 7946->7947 10459 40e520 GetLastError TlsGetValue SetLastError 7947->10459 7949 402fc0 10460 40e520 GetLastError TlsGetValue SetLastError 7949->10460 7951 402fc8 10461 40e520 GetLastError TlsGetValue SetLastError 7951->10461 7953 402fd0 10462 40e520 GetLastError TlsGetValue SetLastError 7953->10462 7955 402fd8 7956 40d780 8 API calls 7955->7956 7957 402fea 7956->7957 10463 405182 TlsGetValue 7957->10463 7959 402fef 7960 405eb0 6 API calls 7959->7960 7961 402ff7 7960->7961 7962 40e560 3 API calls 7961->7962 7963 403001 7962->7963 10464 40e520 GetLastError TlsGetValue SetLastError 7963->10464 7965 403007 10465 40e520 GetLastError TlsGetValue SetLastError 7965->10465 7967 40300f 10466 40e520 GetLastError TlsGetValue SetLastError 7967->10466 7969 403017 10467 40e520 GetLastError TlsGetValue SetLastError 7969->10467 7971 40301f 7972 40d780 8 API calls 7971->7972 7973 40302f 7972->7973 10468 405182 TlsGetValue 7973->10468 7975 403034 7976 405eb0 6 API calls 7975->7976 7977 40303c 7976->7977 7978 40e560 3 API calls 7977->7978 7979 403046 7978->7979 7980 402e49 35 API calls 7979->7980 7981 40304e 7980->7981 10469 40e520 GetLastError TlsGetValue SetLastError 7981->10469 7983 403058 7984 402150 122 API calls 7983->7984 7985 403063 7984->7985 7986 4051a0 3 API calls 7985->7986 7987 403068 7986->7987 10470 40e520 GetLastError TlsGetValue SetLastError 7987->10470 7989 40306e 10471 40e520 GetLastError TlsGetValue SetLastError 7989->10471 7991 403076 7992 409355 33 API calls 7991->7992 7993 403089 7992->7993 7994 40e560 3 API calls 7993->7994 7995 403093 7994->7995 7996 4031ea 7995->7996 10472 40e520 GetLastError TlsGetValue SetLastError 7995->10472 7996->7996 7998 4030aa 10473 40e520 GetLastError TlsGetValue SetLastError 7998->10473 8000 4030b2 10474 40e520 GetLastError TlsGetValue SetLastError 8000->10474 8002 4030ba 10475 40e520 GetLastError TlsGetValue SetLastError 8002->10475 8004 4030c2 8005 40d780 8 API calls 8004->8005 8006 4030d4 8005->8006 10476 405182 TlsGetValue 8006->10476 8008 4030d9 8009 405eb0 6 API calls 8008->8009 8010 4030e1 8009->8010 8011 40e560 3 API calls 8010->8011 8012 4030eb 8011->8012 10477 40e520 GetLastError TlsGetValue SetLastError 8012->10477 8014 4030f1 10478 40e520 GetLastError TlsGetValue SetLastError 8014->10478 8016 4030f9 10479 40e520 GetLastError TlsGetValue SetLastError 8016->10479 8018 403101 10480 40e520 GetLastError TlsGetValue SetLastError 8018->10480 8020 403109 8021 40d780 8 API calls 8020->8021 8022 40311b 8021->8022 10481 405182 TlsGetValue 8022->10481 8024 403120 8025 405eb0 6 API calls 8024->8025 8026 403128 8025->8026 8027 40e560 3 API calls 8026->8027 8028 403132 8027->8028 10482 40e520 GetLastError TlsGetValue SetLastError 8028->10482 8030 403138 8031 403e37 84 API calls 8030->8031 8032 403148 8031->8032 8033 40e560 3 API calls 8032->8033 8034 403154 8033->8034 10483 40e520 GetLastError TlsGetValue SetLastError 8034->10483 8036 40315a 8037 403e37 84 API calls 8036->8037 8038 40316a 8037->8038 8039 40e560 3 API calls 8038->8039 8040 403174 PathAddBackslashW 8039->8040 10484 40e520 GetLastError TlsGetValue SetLastError 8040->10484 8042 403183 10485 40e520 GetLastError TlsGetValue SetLastError 8042->10485 8044 403193 8045 40e6c0 4 API calls 8044->8045 8046 40319b 8045->8046 8047 40e6c0 4 API calls 8046->8047 8048 4031a7 8047->8048 10486 405182 TlsGetValue 8048->10486 8050 4031ac 8051 4023b8 34 API calls 8050->8051 8052 4031b4 8051->8052 8053 4051a0 3 API calls 8052->8053 8054 4031b9 8053->8054 10487 40e520 GetLastError TlsGetValue SetLastError 8054->10487 8056 4031c3 8057 40e6c0 4 API calls 8056->8057 8058 4031cb 8057->8058 8059 40e560 3 API calls 8058->8059 8060 4031d7 PathRemoveBackslashW 8059->8060 8061 402c55 141 API calls 8060->8061 8061->7996 8062->7582 8063->7585 8065 40d9e2 8064->8065 8066 40da20 TlsGetValue HeapReAlloc TlsSetValue 8065->8066 8067 40d9f8 TlsAlloc HeapAlloc TlsSetValue 8065->8067 8068 40da60 8066->8068 8069 40da5c 8066->8069 8067->8066 8074 40e1f2 HeapAlloc 8068->8074 8069->8068 8070 409674 8069->8070 8073 40dbac HeapAlloc HeapAlloc InitializeCriticalSection 8070->8073 8073->7591 8075 40da6c 8074->8075 8075->8070 8077 40e7e1 wcslen 8076->8077 8078 40e84d 8076->8078 8080 40e816 HeapReAlloc 8077->8080 8081 40e7f8 HeapAlloc 8077->8081 8079 40e855 HeapFree 8078->8079 8082 40e838 8078->8082 8079->8082 8080->8082 8081->8082 8082->7596 8084 40a46f HeapAlloc 8083->8084 8085 40a558 8083->8085 8084->7600 8084->7601 8109 40a79a 8085->8109 8087 40a560 8116 40dfc6 8087->8116 8090 40a5a3 HeapFree 8090->8084 8091 40a58f 8092 40a590 HeapFree 8091->8092 8092->8092 8093 40a5a2 8092->8093 8093->8090 8095 40deba 8094->8095 8096 40df72 RtlAllocateHeap 8095->8096 8097 40dec6 8095->8097 8099 40df87 8096->8099 8100 40a4f6 HeapAlloc 8096->8100 8153 40e0c3 LoadLibraryW 8097->8153 8099->8100 8102 40dfb0 InitializeCriticalSection 8099->8102 8100->7605 8102->8100 8103 40df07 HeapAlloc 8104 40df65 LeaveCriticalSection 8103->8104 8105 40df1d 8103->8105 8104->8100 8107 40de99 6 API calls 8105->8107 8106 40deeb 8106->8103 8106->8104 8108 40df34 8107->8108 8108->8104 8113 40a7ae 8109->8113 8110 40a7f7 memset 8111 40a810 8110->8111 8111->8087 8112 40a7b9 HeapFree 8112->8113 8113->8110 8113->8112 8129 41242a 8113->8129 8134 40ddcb 8113->8134 8117 40dfd3 EnterCriticalSection 8116->8117 8118 40e038 8116->8118 8120 40e02e LeaveCriticalSection 8117->8120 8121 40dfef 8117->8121 8144 40dd5d 8118->8144 8124 40a568 HeapFree HeapFree 8120->8124 8123 40dfc6 4 API calls 8121->8123 8127 40dff9 HeapFree 8123->8127 8124->8090 8124->8091 8125 40e044 DeleteCriticalSection 8126 40e04e HeapFree 8125->8126 8126->8124 8127->8120 8130 412525 8129->8130 8133 412442 8129->8133 8130->8113 8131 41242a HeapFree 8131->8133 8133->8130 8133->8131 8141 40e5f0 8133->8141 8135 40ddd8 EnterCriticalSection 8134->8135 8139 40dde2 8134->8139 8135->8139 8136 40de94 8136->8113 8137 40de8a LeaveCriticalSection 8137->8136 8138 40de4b 8138->8136 8138->8137 8139->8138 8140 40de35 HeapFree 8139->8140 8140->8138 8142 40e5fb HeapFree 8141->8142 8143 40e60e 8141->8143 8142->8143 8143->8133 8145 40dd75 8144->8145 8146 40dd6b EnterCriticalSection 8144->8146 8147 40dd92 8145->8147 8148 40dd7c HeapFree 8145->8148 8146->8145 8149 40dd98 HeapFree 8147->8149 8150 40ddae 8147->8150 8148->8147 8148->8148 8149->8149 8149->8150 8151 40ddc5 8150->8151 8152 40ddbb LeaveCriticalSection 8150->8152 8151->8125 8151->8126 8152->8151 8154 40e0e0 GetProcAddress 8153->8154 8155 40e10b InterlockedCompareExchange 8153->8155 8156 40e100 FreeLibrary 8154->8156 8161 40e0f0 8154->8161 8157 40e12f InterlockedExchange 8155->8157 8159 40e11b 8155->8159 8156->8155 8158 40ded5 EnterCriticalSection 8156->8158 8157->8158 8158->8106 8159->8158 8162 40e120 Sleep 8159->8162 8161->8156 8162->8159 8164 40ab46 8163->8164 8168 40ab27 8163->8168 8165 40aa6b 8164->8165 8166 40ddcb 3 API calls 8164->8166 8165->7614 8166->8164 8167 41242a HeapFree 8167->8168 8168->8165 8168->8167 8169 40ddcb 3 API calls 8168->8169 8169->8168 8171 40e277 8170->8171 8175 40e3c2 8170->8175 8171->7628 8171->7630 8172 40e3ed HeapFree 8172->8171 8173 40e3eb 8173->8172 8174 41242a HeapFree 8174->8175 8175->8172 8175->8173 8175->8174 8177 40e68a TlsGetValue 8176->8177 8178 40e66c 8176->8178 8180 402ef9 8177->8180 8181 40e69b 8177->8181 8179 40e4d0 5 API calls 8178->8179 8182 40e671 TlsGetValue 8179->8182 8188 4051a0 8180->8188 8220 40ed40 HeapAlloc HeapAlloc TlsSetValue 8181->8220 8211 412722 8182->8211 8185 40e6a0 TlsGetValue 8187 412722 13 API calls 8185->8187 8187->8180 8221 40ee20 GetLastError TlsGetValue SetLastError 8188->8221 8190 4051ab 8190->7642 8191->7644 8192->7646 8193->7648 8194->7650 8198 40d7ad 8195->8198 8222 40d8a0 8198->8222 8199 405182 TlsGetValue 8199->7654 8201 405ebd 8200->8201 8232 40e880 TlsGetValue 8201->8232 8204 40e900 3 API calls 8205 405ed1 8204->8205 8208 405edd 8205->8208 8234 40ea10 TlsGetValue 8205->8234 8207 405f0d 8207->7656 8208->8207 8208->8208 8209 405f00 CharUpperW 8208->8209 8209->7656 8210->7658 8212 412732 TlsAlloc InitializeCriticalSection 8211->8212 8213 41274e TlsGetValue 8211->8213 8212->8213 8214 412764 HeapAlloc 8213->8214 8215 4127eb HeapAlloc 8213->8215 8216 40e688 8214->8216 8217 41277e EnterCriticalSection 8214->8217 8215->8216 8216->8180 8218 412790 7 API calls 8217->8218 8219 41278e 8217->8219 8218->8215 8219->8218 8220->8185 8221->8190 8223 40d8ac 8222->8223 8226 40e900 TlsGetValue 8223->8226 8227 40e91b 8226->8227 8228 40e941 HeapReAlloc 8227->8228 8229 40e974 8227->8229 8230 402f85 8228->8230 8229->8230 8231 40e990 HeapReAlloc 8229->8231 8230->8199 8231->8230 8233 405ec5 8232->8233 8233->8204 8234->8208 8235->7667 8236->7669 8237->7671 8239 40e900 3 API calls 8238->8239 8240 4096aa GetModuleFileNameW wcscmp 8239->8240 8241 4096e5 8240->8241 8242 4096cd memmove 8240->8242 8308 40ea90 TlsGetValue 8241->8308 8242->8241 8244 401bd6 8245 405182 TlsGetValue 8244->8245 8245->7675 8246->7684 8247->7686 8248->7688 8249->7690 8250->7693 8251->7695 8253 405e1d 8252->8253 8254 40e880 TlsGetValue 8253->8254 8255 405e40 8254->8255 8256 40e900 3 API calls 8255->8256 8257 405e4c 8256->8257 8259 401cfa 8257->8259 8309 40ea10 TlsGetValue 8257->8309 8260 405182 TlsGetValue 8259->8260 8260->7701 8310 40d700 8261->8310 8264 405182 TlsGetValue 8264->7705 8265->7711 8267 40e6e2 8266->8267 8268 40e6d3 wcslen 8266->8268 8269 40e900 3 API calls 8267->8269 8268->8267 8270 40e6ed 8269->8270 8270->7713 8271->7717 8272->7719 8273->7721 8274->7723 8275->7727 8276->7733 8277->7735 8279 405f2e 8278->8279 8280 40e880 TlsGetValue 8279->8280 8281 405f4a 8280->8281 8282 40e900 3 API calls 8281->8282 8283 405f56 8282->8283 8285 405f62 8283->8285 8326 40ea10 TlsGetValue 8283->8326 8285->7737 8327 40d968 TlsGetValue 8286->8327 8291 40e520 GetLastError TlsGetValue SetLastError 8291->7745 8292->7749 8294 40d968 16 API calls 8293->8294 8295 409885 8294->8295 8296 40973a 17 API calls 8295->8296 8297 409898 8296->8297 8298 40e900 3 API calls 8297->8298 8299 4098a6 8298->8299 8337 40ea90 TlsGetValue 8299->8337 8301 401dda 8302 40e720 TlsGetValue 8301->8302 8302->7756 8338 40ede0 TlsGetValue 8303->8338 8305 40516a 8305->7762 8306->7764 8307->7766 8308->8244 8309->8259 8311 40d712 8310->8311 8312 40d75d 8311->8312 8315 40d732 8311->8315 8313 40d8a0 3 API calls 8312->8313 8314 401d07 8313->8314 8314->8264 8319 412840 8315->8319 8317 40d738 8325 412830 free 8317->8325 8320 4128b4 malloc 8319->8320 8321 41284c WideCharToMultiByte 8319->8321 8320->8317 8321->8320 8323 412880 malloc 8321->8323 8323->8320 8324 412892 WideCharToMultiByte 8323->8324 8324->8317 8325->8312 8326->8285 8328 409869 8327->8328 8329 40d97b HeapAlloc TlsSetValue 8327->8329 8333 40973a 8328->8333 8330 40d9a7 8329->8330 8331 412722 13 API calls 8330->8331 8332 40d9c8 8331->8332 8332->8328 8334 40d968 16 API calls 8333->8334 8335 40974b GetCommandLineW 8334->8335 8336 401dbc 8335->8336 8336->7742 8336->8291 8337->8301 8338->8305 8340 40e900 3 API calls 8339->8340 8341 405dcb 8340->8341 8341->7790 8342->7804 8343->7825 8345 403227 8344->8345 8345->8345 8346 40e660 21 API calls 8345->8346 8347 403239 8346->8347 8348 4051a0 3 API calls 8347->8348 8349 403242 8348->8349 9252 405060 8349->9252 8352 405060 2 API calls 8353 40325b 8352->8353 9255 402b6d 8353->9255 8356 403264 9262 405573 GetVersionExW 8356->9262 8357 403277 8360 403281 8357->8360 8361 4033e7 8357->8361 9268 40e520 GetLastError TlsGetValue SetLastError 8360->9268 9300 40e520 GetLastError TlsGetValue SetLastError 8361->9300 8364 4033ed 9301 40e520 GetLastError TlsGetValue SetLastError 8364->9301 8365 403287 9269 40e520 GetLastError TlsGetValue SetLastError 8365->9269 8368 4033f5 8370 4062c0 3 API calls 8368->8370 8369 40328f 9270 4062c0 8369->9270 8372 403401 8370->8372 8374 40e560 3 API calls 8372->8374 8377 40340b GetSystemDirectoryW PathAddBackslashW 8374->8377 8375 40e560 3 API calls 8376 4032a5 GetWindowsDirectoryW PathAddBackslashW 8375->8376 9273 40e520 GetLastError TlsGetValue SetLastError 8376->9273 8428 4033e5 8377->8428 8379 4032c6 8381 40e6c0 4 API calls 8379->8381 8383 4032ce 8381->8383 8382 40342c 8384 40e6c0 4 API calls 8382->8384 8386 40e6c0 4 API calls 8383->8386 8385 403434 8384->8385 9261 405170 TlsGetValue 8385->9261 8388 4032d9 8386->8388 8390 40e560 3 API calls 8388->8390 8389 40343b 8392 40e5f0 HeapFree 8389->8392 8391 4032e3 PathAddBackslashW 8390->8391 9274 40e520 GetLastError TlsGetValue SetLastError 8391->9274 8394 403453 8392->8394 8396 40e5f0 HeapFree 8394->8396 8395 4032f6 8397 40e6c0 4 API calls 8395->8397 8398 40345b 8396->8398 8399 4032fe 8397->8399 8400 40e5f0 HeapFree 8398->8400 8401 40e6c0 4 API calls 8399->8401 8402 403464 8400->8402 8403 403308 8401->8403 8404 40e5f0 HeapFree 8402->8404 8405 40e560 3 API calls 8403->8405 8407 40346d 8404->8407 8406 403312 8405->8406 9275 40e520 GetLastError TlsGetValue SetLastError 8406->9275 8408 40e5f0 HeapFree 8407->8408 8410 403476 8408->8410 8410->7830 8411 40331c 8412 40e6c0 4 API calls 8411->8412 8413 403324 8412->8413 8414 40e6c0 4 API calls 8413->8414 8415 40332e 8414->8415 8416 40e6c0 4 API calls 8415->8416 8417 403338 8416->8417 8418 40e560 3 API calls 8417->8418 8419 403342 8418->8419 9276 40b440 8419->9276 8421 403350 8422 403366 8421->8422 9286 40b050 8421->9286 8424 40b440 11 API calls 8422->8424 8425 40337e 8424->8425 8426 403394 8425->8426 8427 40b050 11 API calls 8425->8427 8426->8428 9298 40e520 GetLastError TlsGetValue SetLastError 8426->9298 8427->8426 9260 40e520 GetLastError TlsGetValue SetLastError 8428->9260 8430 4033b0 9299 40e520 GetLastError TlsGetValue SetLastError 8430->9299 8432 4033b8 8433 4062c0 3 API calls 8432->8433 8434 4033c4 8433->8434 8435 40e560 3 API calls 8434->8435 8436 4033ce GetSystemDirectoryW PathAddBackslashW 8435->8436 8436->8428 8437->7836 8438->7838 8439->7840 8440->7842 8441->7846 8442->7852 8443->7854 8444->7856 8445->7858 8446->7862 8448 40e660 21 API calls 8447->8448 8449 402e56 8448->8449 8450 405060 2 API calls 8449->8450 8451 402e62 FindResourceW 8450->8451 8452 402e81 8451->8452 8453 402e9d 8451->8453 9342 402664 8452->9342 9336 40a220 8453->9336 8457 402eac 9339 40ee60 8457->9339 8461 40e5f0 HeapFree 8462 402ee7 8461->8462 8463 40e520 GetLastError TlsGetValue SetLastError 8462->8463 8463->7870 8465 40e660 21 API calls 8464->8465 8466 40215c 8465->8466 8467 4051a0 3 API calls 8466->8467 8468 402165 8467->8468 8469 402366 8468->8469 8470 40217e 8468->8470 9376 40e520 GetLastError TlsGetValue SetLastError 8469->9376 9378 40e520 GetLastError TlsGetValue SetLastError 8470->9378 8473 402184 9379 40e520 GetLastError TlsGetValue SetLastError 8473->9379 8474 402370 8476 40e6c0 4 API calls 8474->8476 8478 402378 8476->8478 8477 40218c 9380 40e520 GetLastError TlsGetValue SetLastError 8477->9380 9377 405170 TlsGetValue 8478->9377 8481 402194 9381 40e520 GetLastError TlsGetValue SetLastError 8481->9381 8482 40237f 8485 40e5f0 HeapFree 8482->8485 8484 40219c 9382 40a290 8484->9382 8487 402397 8485->8487 8489 40e5f0 HeapFree 8487->8489 8488 4021b0 9391 405182 TlsGetValue 8488->9391 8491 4023a0 8489->8491 8492 40e5f0 HeapFree 8491->8492 8494 4023a8 8492->8494 8493 4021b5 9392 406060 8493->9392 8496 40e5f0 HeapFree 8494->8496 8498 4023b1 8496->8498 8498->7873 8499 40e560 3 API calls 8500 4021c7 8499->8500 9395 40e520 GetLastError TlsGetValue SetLastError 8500->9395 8502 4021cd 9396 40e520 GetLastError TlsGetValue SetLastError 8502->9396 8504 4021d5 9397 40e520 GetLastError TlsGetValue SetLastError 8504->9397 8506 4021dd 9398 40e520 GetLastError TlsGetValue SetLastError 8506->9398 8508 4021e5 8509 40a290 5 API calls 8508->8509 8510 4021fc 8509->8510 9399 405182 TlsGetValue 8510->9399 8512 402201 8513 406060 5 API calls 8512->8513 8514 402209 8513->8514 8515 40e560 3 API calls 8514->8515 8516 402213 8515->8516 9400 40e520 GetLastError TlsGetValue SetLastError 8516->9400 8518 402219 9401 40e520 GetLastError TlsGetValue SetLastError 8518->9401 8520 402221 9402 40e520 GetLastError TlsGetValue SetLastError 8520->9402 8522 402234 9403 40e520 GetLastError TlsGetValue SetLastError 8522->9403 8524 40223c 9404 4057f0 8524->9404 8526 402252 9420 40e720 TlsGetValue 8526->9420 8528 402257 9421 40e520 GetLastError TlsGetValue SetLastError 8528->9421 8530 40225d 9422 40e520 GetLastError TlsGetValue SetLastError 8530->9422 8532 402265 8533 4057f0 9 API calls 8532->8533 8534 40227b 8533->8534 9423 405182 TlsGetValue 8534->9423 8536 402280 9424 405182 TlsGetValue 8536->9424 8538 402288 9425 408f69 8538->9425 8541 40e560 3 API calls 8542 40229b 8541->8542 8543 40235c 8542->8543 8544 4022ac 8542->8544 8545 401fba 36 API calls 8543->8545 9467 40e520 GetLastError TlsGetValue SetLastError 8544->9467 8545->8469 8547 4022b2 9468 40e520 GetLastError TlsGetValue SetLastError 8547->9468 8549 4022ba 9469 40e520 GetLastError TlsGetValue SetLastError 8549->9469 8551 4022c7 9470 40e520 GetLastError TlsGetValue SetLastError 8551->9470 8553 4022cf 8554 406060 5 API calls 8553->8554 8555 4022da 8554->8555 9471 405182 TlsGetValue 8555->9471 8557 4022df 8558 40d780 8 API calls 8557->8558 8559 4022e7 8558->8559 8560 40e560 3 API calls 8559->8560 8561 4022f1 8560->8561 8562 40235a 8561->8562 9472 40e520 GetLastError TlsGetValue SetLastError 8561->9472 8562->8469 8564 402307 9473 40e520 GetLastError TlsGetValue SetLastError 8564->9473 8566 402314 9474 40e520 GetLastError TlsGetValue SetLastError 8566->9474 8568 40231c 8569 4057f0 9 API calls 8568->8569 8570 402332 8569->8570 9475 40e720 TlsGetValue 8570->9475 8572 402337 9476 405182 TlsGetValue 8572->9476 8574 402342 9477 408e27 8574->9477 8577 4051a0 3 API calls 8578 402350 8577->8578 8579 401fba 36 API calls 8578->8579 8579->8562 8581 40e660 21 API calls 8580->8581 8599 40197a 8581->8599 8582 4019fb 8583 40a220 RtlAllocateHeap 8582->8583 8584 401a05 8583->8584 9534 40e520 GetLastError TlsGetValue SetLastError 8584->9534 8586 401a0f 9535 40e520 GetLastError TlsGetValue SetLastError 8586->9535 8587 405dc0 3 API calls 8587->8599 8589 401a17 9536 40add6 8589->9536 8592 40e520 GetLastError TlsGetValue SetLastError 8592->8599 8593 40e560 3 API calls 8594 401a28 GetTempFileNameW 8593->8594 9545 40e520 GetLastError TlsGetValue SetLastError 8594->9545 8596 401a46 9546 40e520 GetLastError TlsGetValue SetLastError 8596->9546 8597 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8597->8599 8599->8582 8599->8587 8599->8592 8599->8597 8601 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8599->8601 8600 401a4e 8602 40a240 4 API calls 8600->8602 8601->8599 8603 401a59 8602->8603 8604 40e560 3 API calls 8603->8604 8605 401a65 8604->8605 9547 40ae67 8605->9547 8611 401a9b 9556 40e520 GetLastError TlsGetValue SetLastError 8611->9556 8613 401aa3 8614 40a240 4 API calls 8613->8614 8615 401aae 8614->8615 8616 40e560 3 API calls 8615->8616 8617 401aba 8616->8617 8618 40ae67 2 API calls 8617->8618 8619 401ac5 8618->8619 8620 40ad45 3 API calls 8619->8620 8621 401ad0 GetTempFileNameW PathAddBackslashW 8620->8621 9557 40e520 GetLastError TlsGetValue SetLastError 8621->9557 8623 401afb 9558 40e520 GetLastError TlsGetValue SetLastError 8623->9558 8625 401b03 8626 40a240 4 API calls 8625->8626 8627 401b0e 8626->8627 8628 40e560 3 API calls 8627->8628 8629 401b1a 8628->8629 8630 40ae67 2 API calls 8629->8630 8631 401b25 PathRenameExtensionW GetTempFileNameW 8630->8631 9559 40e520 GetLastError TlsGetValue SetLastError 8631->9559 8633 401b54 9560 40e520 GetLastError TlsGetValue SetLastError 8633->9560 8635 401b5c 8636 40a240 4 API calls 8635->8636 8637 401b67 8636->8637 8638 40e560 3 API calls 8637->8638 8639 401b73 8638->8639 9561 40a200 HeapFree 8639->9561 8641 401b7c 8642 40e5f0 HeapFree 8641->8642 8643 401b89 8642->8643 8644 40e5f0 HeapFree 8643->8644 8645 401b92 8644->8645 8646 40e5f0 HeapFree 8645->8646 8647 401b9b 8646->8647 8648 40469c 8647->8648 8649 40e660 21 API calls 8648->8649 8653 4046a9 8649->8653 8650 40472a 9568 40e520 GetLastError TlsGetValue SetLastError 8650->9568 8651 40e520 GetLastError TlsGetValue SetLastError 8651->8653 8653->8650 8653->8651 8655 405dc0 3 API calls 8653->8655 8662 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8653->8662 8667 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8653->8667 8654 404730 8656 403539 98 API calls 8654->8656 8655->8653 8657 404746 8656->8657 8658 40e560 3 API calls 8657->8658 8659 404750 8658->8659 9569 40afda 8659->9569 8662->8653 8663 40e5f0 HeapFree 8664 404764 8663->8664 8665 40e5f0 HeapFree 8664->8665 8666 40476d 8665->8666 8668 40e5f0 HeapFree 8666->8668 8667->8653 8669 404522 8668->8669 8670 40e520 GetLastError TlsGetValue SetLastError 8669->8670 8670->7880 8672 40e660 21 API calls 8671->8672 8673 403543 8672->8673 8674 4051a0 3 API calls 8673->8674 8675 40354c 8674->8675 8676 405060 2 API calls 8675->8676 8677 403558 8676->8677 8678 403563 8677->8678 8679 403587 8677->8679 9574 40e520 GetLastError TlsGetValue SetLastError 8678->9574 8681 403591 8679->8681 8682 4035b4 8679->8682 9582 40e520 GetLastError TlsGetValue SetLastError 8681->9582 8684 4035e7 8682->8684 8685 4035be 8682->8685 8683 403569 9575 40e520 GetLastError TlsGetValue SetLastError 8683->9575 8687 4035f1 8684->8687 8688 40361a 8684->8688 9583 40e520 GetLastError TlsGetValue SetLastError 8685->9583 9601 40e520 GetLastError TlsGetValue SetLastError 8687->9601 8696 403624 8688->8696 8697 40364d 8688->8697 8689 40359d 8693 40e6c0 4 API calls 8689->8693 8699 4035a5 8693->8699 8694 403571 9576 40ae75 8694->9576 8695 4035c4 9584 40e520 GetLastError TlsGetValue SetLastError 8695->9584 9603 40e520 GetLastError TlsGetValue SetLastError 8696->9603 8700 403680 8697->8700 8701 403657 8697->8701 8698 4035f7 9602 40e520 GetLastError TlsGetValue SetLastError 8698->9602 8706 40e560 3 API calls 8699->8706 8711 4036b3 8700->8711 8712 40368a 8700->8712 9605 40e520 GetLastError TlsGetValue SetLastError 8701->9605 8714 403582 8706->8714 8709 4035cc 9585 40aeba 8709->9585 8710 40362a 9604 40e520 GetLastError TlsGetValue SetLastError 8710->9604 8716 4036e6 8711->8716 8717 4036bd 8711->8717 9607 40e520 GetLastError TlsGetValue SetLastError 8712->9607 8713 4035ff 8725 40aeba 17 API calls 8713->8725 9572 40e520 GetLastError TlsGetValue SetLastError 8714->9572 8715 40365d 9606 40e520 GetLastError TlsGetValue SetLastError 8715->9606 8723 4036f0 8716->8723 8724 403719 8716->8724 9609 40e520 GetLastError TlsGetValue SetLastError 8717->9609 8718 40e560 3 API calls 8718->8714 8722 403690 9608 40e520 GetLastError TlsGetValue SetLastError 8722->9608 9611 40e520 GetLastError TlsGetValue SetLastError 8723->9611 8736 403723 8724->8736 8737 403749 8724->8737 8733 40360b 8725->8733 8729 403632 8739 40aeba 17 API calls 8729->8739 8746 40e560 3 API calls 8733->8746 8734 403665 8747 40aeba 17 API calls 8734->8747 8735 4036c3 9610 40e520 GetLastError TlsGetValue SetLastError 8735->9610 9613 40e520 GetLastError TlsGetValue SetLastError 8736->9613 8744 4037a1 8737->8744 8745 403753 8737->8745 8738 40e560 3 API calls 8798 4035e2 8738->8798 8740 40363e 8739->8740 8750 40e560 3 API calls 8740->8750 8741 4037cb 8751 40e6c0 4 API calls 8741->8751 8742 403698 8752 40aeba 17 API calls 8742->8752 8743 4036f6 9612 40e520 GetLastError TlsGetValue SetLastError 8743->9612 9643 40e520 GetLastError TlsGetValue SetLastError 8744->9643 9615 40e520 GetLastError TlsGetValue SetLastError 8745->9615 8746->8798 8756 403671 8747->8756 8750->8798 8759 4037d3 8751->8759 8760 4036a4 8752->8760 8764 40e560 3 API calls 8756->8764 8757 4036cb 8765 40aeba 17 API calls 8757->8765 8758 403729 9614 40e520 GetLastError TlsGetValue SetLastError 8758->9614 9573 405170 TlsGetValue 8759->9573 8769 40e560 3 API calls 8760->8769 8761 4036fe 8770 40aeba 17 API calls 8761->8770 8762 403759 9616 40e520 GetLastError TlsGetValue SetLastError 8762->9616 8763 4037a7 9644 40e520 GetLastError TlsGetValue SetLastError 8763->9644 8764->8798 8773 4036d7 8765->8773 8767 403731 8774 40aeba 17 API calls 8767->8774 8769->8798 8776 40370a 8770->8776 8779 40e560 3 API calls 8773->8779 8780 40373d 8774->8780 8775 4037da 8785 40e5f0 HeapFree 8775->8785 8781 40e560 3 API calls 8776->8781 8777 403761 9617 409355 8777->9617 8778 4037af 8783 40ae75 5 API calls 8778->8783 8779->8798 8784 40e560 3 API calls 8780->8784 8781->8798 8787 4037b6 8783->8787 8784->8798 8788 4037f2 8785->8788 8790 40e560 3 API calls 8787->8790 8791 40e5f0 HeapFree 8788->8791 8789 40e560 3 API calls 8792 40377c 8789->8792 8790->8714 8793 4037fa 8791->8793 8794 403795 8792->8794 8795 403789 8792->8795 8793->7883 8797 401fba 36 API calls 8794->8797 9640 4056d8 8795->9640 8797->8798 8798->8714 8799->7887 8800->7889 8802 40e660 21 API calls 8801->8802 8803 402bb0 8802->8803 8804 4051a0 3 API calls 8803->8804 8805 402bb9 8804->8805 8806 405060 2 API calls 8805->8806 8807 402bc5 8806->8807 8808 40a220 RtlAllocateHeap 8807->8808 8809 402bcf GetShortPathNameW 8808->8809 9654 40e520 GetLastError TlsGetValue SetLastError 8809->9654 8811 402beb 9655 40e520 GetLastError TlsGetValue SetLastError 8811->9655 8813 402bf3 8814 40a290 5 API calls 8813->8814 8815 402c03 8814->8815 8816 40e560 3 API calls 8815->8816 8817 402c0d 8816->8817 9656 40a200 HeapFree 8817->9656 8819 402c16 9657 40e520 GetLastError TlsGetValue SetLastError 8819->9657 8821 402c20 8822 40e6c0 4 API calls 8821->8822 8823 402c28 8822->8823 9658 405170 TlsGetValue 8823->9658 8825 402c2f 8826 40e5f0 HeapFree 8825->8826 8827 402c46 8826->8827 8828 40e5f0 HeapFree 8827->8828 8829 402c4f 8828->8829 8830 40e720 TlsGetValue 8829->8830 8830->7893 8831->7895 8833 404594 8832->8833 8834 4099ac SetEnvironmentVariableW 8832->8834 8833->7898 8834->8833 8836->7901 8838 403807 8837->8838 8838->8838 8839 40e660 21 API calls 8838->8839 8858 403819 8839->8858 8840 40389a 9659 40e520 GetLastError TlsGetValue SetLastError 8840->9659 8842 4038a0 9660 40e520 GetLastError TlsGetValue SetLastError 8842->9660 8844 4038a8 9661 40e520 GetLastError TlsGetValue SetLastError 8844->9661 8845 405dc0 3 API calls 8845->8858 8847 4038b0 9662 40e520 GetLastError TlsGetValue SetLastError 8847->9662 8848 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 8848->8858 8850 4038b8 8852 40d780 8 API calls 8850->8852 8851 40e520 GetLastError TlsGetValue SetLastError 8851->8858 8853 4038ca 8852->8853 9663 405182 TlsGetValue 8853->9663 8854 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 8854->8858 8856 4038cf 8857 405eb0 6 API calls 8856->8857 8859 4038d7 8857->8859 8858->8840 8858->8845 8858->8848 8858->8851 8858->8854 8860 40e560 3 API calls 8859->8860 8861 4038e1 8860->8861 9664 40e520 GetLastError TlsGetValue SetLastError 8861->9664 8863 4038e7 9665 40e520 GetLastError TlsGetValue SetLastError 8863->9665 8865 4038ef 9666 40e520 GetLastError TlsGetValue SetLastError 8865->9666 8867 4038f7 9667 40e520 GetLastError TlsGetValue SetLastError 8867->9667 8869 4038ff 8870 40d780 8 API calls 8869->8870 8871 403911 8870->8871 9668 405182 TlsGetValue 8871->9668 8873 403916 8874 405eb0 6 API calls 8873->8874 8875 40391e 8874->8875 8876 40e560 3 API calls 8875->8876 8877 403928 8876->8877 9669 40e520 GetLastError TlsGetValue SetLastError 8877->9669 8879 40392e 9670 40e520 GetLastError TlsGetValue SetLastError 8879->9670 8881 403936 9671 40e520 GetLastError TlsGetValue SetLastError 8881->9671 8883 40393e 9672 40e520 GetLastError TlsGetValue SetLastError 8883->9672 8885 403946 8886 40d780 8 API calls 8885->8886 8887 403956 8886->8887 9673 405182 TlsGetValue 8887->9673 8889 40395b 8890 405eb0 6 API calls 8889->8890 8891 403963 8890->8891 8892 40e560 3 API calls 8891->8892 8893 40396d 8892->8893 9674 40e520 GetLastError TlsGetValue SetLastError 8893->9674 8895 403973 9675 40e520 GetLastError TlsGetValue SetLastError 8895->9675 8897 40397b 9676 40e520 GetLastError TlsGetValue SetLastError 8897->9676 8899 403983 9677 40e520 GetLastError TlsGetValue SetLastError 8899->9677 8901 40398b 8902 40d780 8 API calls 8901->8902 8903 40399b 8902->8903 9678 405182 TlsGetValue 8903->9678 8905 4039a0 8906 405eb0 6 API calls 8905->8906 8907 4039a8 8906->8907 8908 40e560 3 API calls 8907->8908 8909 4039b2 8908->8909 9679 40e520 GetLastError TlsGetValue SetLastError 8909->9679 8911 4039b8 9680 40e520 GetLastError TlsGetValue SetLastError 8911->9680 8913 4039c0 9681 40e520 GetLastError TlsGetValue SetLastError 8913->9681 8915 4039c8 9682 40e520 GetLastError TlsGetValue SetLastError 8915->9682 8917 4039d0 8918 40d780 8 API calls 8917->8918 8919 4039e0 8918->8919 9683 405182 TlsGetValue 8919->9683 8921 4039e5 8922 405eb0 6 API calls 8921->8922 8923 4039ed 8922->8923 8924 40e560 3 API calls 8923->8924 8925 4039f7 8924->8925 9684 40e520 GetLastError TlsGetValue SetLastError 8925->9684 8927 4039fd 9685 403e37 8927->9685 8930 4051a0 3 API calls 8931 403a12 8930->8931 9726 40e520 GetLastError TlsGetValue SetLastError 8931->9726 8933 403a18 8934 403e37 84 API calls 8933->8934 8935 403a28 8934->8935 8936 40e560 3 API calls 8935->8936 8937 403a34 8936->8937 9727 40e520 GetLastError TlsGetValue SetLastError 8937->9727 8939 403a3a 8940 403e37 84 API calls 8939->8940 8941 403a4a 8940->8941 8942 40e560 3 API calls 8941->8942 8943 403a54 8942->8943 9728 40e520 GetLastError TlsGetValue SetLastError 8943->9728 8945 403a5a 8946 403e37 84 API calls 8945->8946 8947 403a6a 8946->8947 8948 40e560 3 API calls 8947->8948 8949 403a74 8948->8949 9729 40e520 GetLastError TlsGetValue SetLastError 8949->9729 8951 403a7a 8952 403e37 84 API calls 8951->8952 8953 403a8a 8952->8953 8954 40e560 3 API calls 8953->8954 8955 403a94 8954->8955 9730 40e520 GetLastError TlsGetValue SetLastError 8955->9730 8957 403a9a 9731 40e520 GetLastError TlsGetValue SetLastError 8957->9731 8959 403aa2 9732 40e520 GetLastError TlsGetValue SetLastError 8959->9732 8961 403aaa 8962 402ba6 43 API calls 8961->8962 8963 403ab7 8962->8963 9733 40e720 TlsGetValue 8963->9733 8965 403abc 9734 405182 TlsGetValue 8965->9734 8967 403acb 9735 406650 8967->9735 8970 40e560 3 API calls 8971 403ade 8970->8971 9738 40e520 GetLastError TlsGetValue SetLastError 8971->9738 8973 403ae4 9739 40e520 GetLastError TlsGetValue SetLastError 8973->9739 8975 403aec 9740 40e520 GetLastError TlsGetValue SetLastError 8975->9740 8977 403af4 8978 402ba6 43 API calls 8977->8978 8979 403b01 8978->8979 9741 40e720 TlsGetValue 8979->9741 8981 403b06 9742 405182 TlsGetValue 8981->9742 8983 403b15 8984 406650 13 API calls 8983->8984 8985 403b1e 8984->8985 8986 40e560 3 API calls 8985->8986 8987 403b28 8986->8987 9743 40e520 GetLastError TlsGetValue SetLastError 8987->9743 8989 403b2e 9744 40e520 GetLastError TlsGetValue SetLastError 8989->9744 8991 403b3a 8992 40e6c0 4 API calls 8991->8992 8993 403b42 8992->8993 8994 40e6c0 4 API calls 8993->8994 8995 403b4d 8994->8995 8996 40e6c0 4 API calls 8995->8996 8997 403b57 8996->8997 8998 40e6c0 4 API calls 8997->8998 8999 403b61 8998->8999 9000 40e6c0 4 API calls 8999->9000 9001 403b6b 9000->9001 9745 40e720 TlsGetValue 9001->9745 9003 403b70 9746 405182 TlsGetValue 9003->9746 9005 403b7b 9747 4023b8 9005->9747 9008 4051a0 3 API calls 9009 403b89 9008->9009 9010 40e5f0 HeapFree 9009->9010 9011 403b94 9010->9011 9012 40e5f0 HeapFree 9011->9012 9013 403b9d 9012->9013 9014 40e5f0 HeapFree 9013->9014 9015 403ba6 9014->9015 9016 40e5f0 HeapFree 9015->9016 9017 403baf 9016->9017 9018 40e5f0 HeapFree 9017->9018 9019 403bb8 9018->9019 9020 40e5f0 HeapFree 9019->9020 9021 403bc1 9020->9021 9022 40e5f0 HeapFree 9021->9022 9023 403bca 9022->9023 9024 40e5f0 HeapFree 9023->9024 9025 403bd3 9024->9025 9026 40e5f0 HeapFree 9025->9026 9027 403bdc 9026->9027 9028 40e5f0 HeapFree 9027->9028 9029 403be5 9028->9029 9030 40e520 GetLastError TlsGetValue SetLastError 9029->9030 9030->7911 9032 40e660 21 API calls 9031->9032 9033 401e70 9032->9033 9034 4051a0 3 API calls 9033->9034 9035 401e79 9034->9035 9955 40e520 GetLastError TlsGetValue SetLastError 9035->9955 9037 401e7f 9956 40e520 GetLastError TlsGetValue SetLastError 9037->9956 9039 401e87 9040 409698 7 API calls 9039->9040 9041 401e8e 9040->9041 9042 40e560 3 API calls 9041->9042 9043 401e98 PathQuoteSpacesW 9042->9043 9044 401ef1 9043->9044 9045 401ea8 9043->9045 10025 40e520 GetLastError TlsGetValue SetLastError 9044->10025 9959 40e520 GetLastError TlsGetValue SetLastError 9045->9959 9048 401eae 9960 40249d 9048->9960 9049 401efa 9051 40e6c0 4 API calls 9049->9051 9053 401f02 9051->9053 9055 40e560 3 API calls 9053->9055 9074 401eef 9055->9074 9060 401f16 9062 40e6c0 4 API calls 9060->9062 9064 401f1e 9062->9064 9958 405170 TlsGetValue 9064->9958 9069 401f25 9070 40e5f0 HeapFree 9069->9070 9073 401f3c 9070->9073 9075 40e5f0 HeapFree 9073->9075 9957 40e520 GetLastError TlsGetValue SetLastError 9074->9957 9076 401f45 9075->9076 9076->7914 9078 40e660 21 API calls 9077->9078 9079 403c91 9078->9079 9080 405060 2 API calls 9079->9080 9081 403c9d 9080->9081 9082 405060 2 API calls 9081->9082 9083 403caa 9082->9083 9084 405060 2 API calls 9083->9084 9085 403cb7 9084->9085 9086 405060 2 API calls 9085->9086 9087 403cc4 9086->9087 10056 40e520 GetLastError TlsGetValue SetLastError 9087->10056 9089 403cd0 9090 40e6c0 4 API calls 9089->9090 9091 403cd8 9090->9091 9178 4054b1 EnterCriticalSection 9177->9178 9179 404601 9177->9179 9180 4054f7 9178->9180 9186 4054c7 9178->9186 9179->7921 9181 40e1f2 HeapAlloc 9180->9181 9183 405511 LeaveCriticalSection 9181->9183 9182 4054c8 WaitForSingleObject 9184 4054d8 CloseHandle 9182->9184 9182->9186 9183->9179 9185 40e1b2 HeapFree 9184->9185 9185->9186 9186->9180 9186->9182 9188 40e660 21 API calls 9187->9188 9189 402c63 9188->9189 9190 405060 2 API calls 9189->9190 9191 402c6f 9190->9191 9192 402c9c 9191->9192 10220 40e520 GetLastError TlsGetValue SetLastError 9191->10220 10222 40e520 GetLastError TlsGetValue SetLastError 9192->10222 9195 402ca2 10223 40e520 GetLastError TlsGetValue SetLastError 9195->10223 9196 402c7e 10221 40e520 GetLastError TlsGetValue SetLastError 9196->10221 9199 402caa 10224 40e520 GetLastError TlsGetValue SetLastError 9199->10224 9200 402c86 9202 40a240 4 API calls 9200->9202 9204 402c92 9202->9204 9203 402cb2 10225 40e520 GetLastError TlsGetValue SetLastError 9203->10225 9205 40e560 3 API calls 9204->9205 9205->9192 9207 402cba 9208 40d780 8 API calls 9207->9208 9209 402cca 9208->9209 10226 405182 TlsGetValue 9209->10226 9211 402ccf 9302 40e780 9252->9302 9256 402b73 9255->9256 9256->9256 9257 40e660 21 API calls 9256->9257 9258 402b85 GetNativeSystemInfo 9257->9258 9259 402b98 9258->9259 9259->8356 9259->8357 9260->8382 9261->8389 9263 4055a1 9262->9263 9267 403269 9262->9267 9263->9267 9308 40552c memset GetModuleHandleW 9263->9308 9266 4055df GetVersionExW 9266->9267 9267->8357 9268->8365 9269->8369 9271 40e900 3 API calls 9270->9271 9272 40329b 9271->9272 9272->8375 9273->8379 9274->8395 9275->8411 9311 40db18 EnterCriticalSection 9276->9311 9278 40b455 9279 40b4ee 9278->9279 9280 40b45f CreateFileW 9278->9280 9279->8421 9281 40b480 9280->9281 9283 40b4a0 9280->9283 9281->9283 9284 40b48d HeapAlloc 9281->9284 9285 40b4e5 9283->9285 9321 40da8a EnterCriticalSection 9283->9321 9284->9283 9285->8421 9287 40b069 9286->9287 9288 40b05a 9286->9288 9329 40dad9 EnterCriticalSection 9287->9329 9289 40e075 2 API calls 9288->9289 9291 40b065 9289->9291 9291->8422 9293 40b0ad 9293->8422 9294 40b099 FindCloseChangeNotification 9296 40da8a 4 API calls 9294->9296 9296->9293 9297 40b088 HeapFree 9297->9294 9298->8430 9299->8432 9300->8364 9301->8368 9303 40324e 9302->9303 9304 40e78a wcslen HeapAlloc 9302->9304 9303->8352 9306 40ea40 9304->9306 9307 40ea50 9306->9307 9307->9303 9309 405554 GetProcAddress 9308->9309 9310 405564 9308->9310 9309->9310 9310->9266 9310->9267 9312 40db32 9311->9312 9313 40db47 9311->9313 9316 40e1f2 HeapAlloc 9312->9316 9314 40db6c 9313->9314 9315 40db4c HeapReAlloc 9313->9315 9317 40db81 HeapAlloc 9314->9317 9318 40db75 9314->9318 9315->9314 9319 40db41 9316->9319 9317->9318 9320 40db9d LeaveCriticalSection 9318->9320 9319->9320 9320->9278 9322 40dac1 9321->9322 9323 40daa2 9321->9323 9325 40e1b2 HeapFree 9322->9325 9323->9322 9324 40daa7 9323->9324 9326 40dab0 memset 9324->9326 9327 40dacd LeaveCriticalSection 9324->9327 9328 40dacb 9325->9328 9326->9327 9327->9285 9328->9327 9330 40daf2 9329->9330 9331 40dafd LeaveCriticalSection 9329->9331 9330->9331 9332 40b076 9331->9332 9332->9293 9332->9294 9333 40b0c0 9332->9333 9334 40b0d4 WriteFile 9333->9334 9335 40b0fc 9333->9335 9334->9297 9335->9297 9337 40a228 RtlAllocateHeap 9336->9337 9338 40a23a 9336->9338 9337->8457 9338->8457 9353 40ee80 9339->9353 9341 402ed0 9341->8461 9343 40e660 21 API calls 9342->9343 9344 40266d LoadResource SizeofResource 9343->9344 9345 40a220 RtlAllocateHeap 9344->9345 9346 40269a 9345->9346 9372 40a300 memcpy 9346->9372 9348 4026b1 FreeResource 9349 4026c1 9348->9349 9350 40477d 9349->9350 9373 40a1e0 9350->9373 9352 404786 9352->8453 9354 40ee98 __fprintf_l 9353->9354 9356 40ef4a __fprintf_l 9354->9356 9357 40eff0 9354->9357 9356->9341 9358 40fa52 9357->9358 9361 40f000 __fprintf_l 9357->9361 9358->9354 9359 40f5d7 9363 40f644 __fprintf_l 9359->9363 9364 410b90 9359->9364 9361->9358 9361->9359 9362 40f4ef memcpy 9361->9362 9362->9361 9363->9354 9365 410ba4 9364->9365 9366 410c12 memcpy 9365->9366 9367 410bec memcpy 9365->9367 9368 410bbf 9365->9368 9370 410c39 memcpy 9366->9370 9371 410c58 9366->9371 9367->9363 9368->9363 9370->9363 9371->9363 9372->9348 9374 40a1e8 HeapSize 9373->9374 9375 40a1fa 9373->9375 9374->9352 9375->9352 9376->8474 9377->8482 9378->8473 9379->8477 9380->8481 9381->8484 9383 40a2a9 9382->9383 9384 40a299 9382->9384 9385 40e900 3 API calls 9383->9385 9484 40a240 9384->9484 9390 40a2bf 9385->9390 9389 40a2e8 9389->8488 9490 40ea90 TlsGetValue 9390->9490 9391->8493 9491 405f90 9392->9491 9394 4021bd 9394->8499 9395->8502 9396->8504 9397->8506 9398->8508 9399->8512 9400->8518 9401->8520 9402->8522 9403->8524 9405 40590f 9404->9405 9412 405801 9404->9412 9501 40e9e0 TlsGetValue 9405->9501 9407 405918 9407->8526 9408 405886 9410 40e880 TlsGetValue 9408->9410 9409 405850 wcsncmp 9409->9412 9411 4058c7 9410->9411 9413 4058e9 9411->9413 9500 40e8d0 TlsGetValue 9411->9500 9412->9408 9412->9409 9415 40e900 3 API calls 9413->9415 9417 4058f0 9415->9417 9416 4058d7 memmove 9416->9413 9418 405901 9417->9418 9419 4058f6 wcsncpy 9417->9419 9418->8526 9419->9418 9420->8528 9421->8530 9422->8532 9423->8536 9424->8538 9502 408e58 9425->9502 9427 408f81 9428 408e58 3 API calls 9427->9428 9429 408f90 9428->9429 9430 408e58 3 API calls 9429->9430 9431 408fa3 9430->9431 9432 408fb0 GetStockObject 9431->9432 9433 408fbd LoadIconW LoadCursorW RegisterClassExW 9431->9433 9432->9433 9506 4094d1 GetForegroundWindow 9433->9506 9438 409047 IsWindowEnabled 9439 40906b 9438->9439 9440 409052 EnableWindow 9438->9440 9441 4094d1 3 API calls 9439->9441 9440->9439 9442 40907e GetSystemMetrics GetSystemMetrics CreateWindowExW 9441->9442 9443 4092ba 9442->9443 9444 4090cb SetWindowLongW CreateWindowExW SendMessageW 9442->9444 9445 4092cd 9443->9445 9520 40e9e0 TlsGetValue 9443->9520 9446 409125 9444->9446 9447 409128 CreateWindowExW SendMessageW SetFocus 9444->9447 9521 408e9a 9445->9521 9446->9447 9450 4091a5 CreateWindowExW SendMessageW CreateAcceleratorTableW SetForegroundWindow BringWindowToTop 9447->9450 9451 40917b SendMessageW wcslen wcslen SendMessageW 9447->9451 9452 40926a 9450->9452 9451->9450 9455 409273 9452->9455 9456 40922e GetMessageW 9452->9456 9454 408e9a HeapFree 9457 4092df 9454->9457 9459 409277 DestroyAcceleratorTable 9455->9459 9460 40927e 9455->9460 9456->9455 9458 409243 TranslateAcceleratorW 9456->9458 9461 408e9a HeapFree 9457->9461 9458->9452 9462 409254 TranslateMessage DispatchMessageW 9458->9462 9459->9460 9460->9443 9463 409285 wcslen 9460->9463 9464 402291 9461->9464 9462->9452 9465 40e900 3 API calls 9463->9465 9464->8541 9466 40929c wcscpy HeapFree 9465->9466 9466->9443 9467->8547 9468->8549 9469->8551 9470->8553 9471->8557 9472->8564 9473->8566 9474->8568 9475->8572 9476->8574 9478 4094d1 3 API calls 9477->9478 9479 408e2d 9478->9479 9480 409588 16 API calls 9479->9480 9481 408e36 MessageBoxW 9480->9481 9482 409588 16 API calls 9481->9482 9483 40234b 9482->9483 9483->8577 9485 40a24d 9484->9485 9486 40e900 3 API calls 9485->9486 9487 40a26b 9486->9487 9488 40a271 memcpy 9487->9488 9489 40a27f 9487->9489 9488->9489 9489->8488 9490->9389 9493 405fa1 9491->9493 9492 40e880 TlsGetValue 9494 406014 9492->9494 9493->9492 9493->9493 9495 40e900 3 API calls 9494->9495 9496 406022 9495->9496 9498 406032 9496->9498 9499 40ea10 TlsGetValue 9496->9499 9498->9394 9499->9498 9500->9416 9501->9407 9503 408e60 wcslen HeapAlloc 9502->9503 9504 408e96 9502->9504 9503->9504 9505 408e86 wcscpy 9503->9505 9504->9427 9505->9427 9507 409032 9506->9507 9508 4094e2 GetWindowThreadProcessId GetCurrentProcessId 9506->9508 9509 409588 9507->9509 9508->9507 9510 409592 EnumWindows 9509->9510 9515 4095dd 9509->9515 9511 40903e 9510->9511 9512 4095af 9510->9512 9524 409507 GetWindowThreadProcessId GetCurrentThreadId 9510->9524 9511->9438 9511->9439 9512->9511 9514 4095b1 GetCurrentThreadId 9512->9514 9517 4095c4 SetWindowPos 9512->9517 9513 4095ea GetCurrentThreadId 9513->9515 9514->9512 9515->9511 9515->9513 9516 409600 EnableWindow 9515->9516 9518 409611 SetWindowPos 9515->9518 9519 40e1b2 HeapFree 9515->9519 9516->9515 9517->9512 9518->9515 9519->9515 9520->9445 9522 408ea1 HeapFree 9521->9522 9523 408eb3 9521->9523 9522->9523 9523->9454 9525 409525 IsWindowVisible 9524->9525 9526 40957f 9524->9526 9525->9526 9527 409530 9525->9527 9528 40e1f2 HeapAlloc 9527->9528 9529 40953c GetCurrentThreadId GetWindowLongW 9528->9529 9530 40955a 9529->9530 9531 40955e GetForegroundWindow 9529->9531 9530->9531 9531->9526 9532 409568 IsWindowEnabled 9531->9532 9532->9526 9533 409573 EnableWindow 9532->9533 9533->9526 9534->8586 9535->8589 9537 40e900 3 API calls 9536->9537 9538 40ade9 GetTempPathW LoadLibraryW 9537->9538 9539 40ae24 9538->9539 9540 40ae06 GetProcAddress 9538->9540 9562 40ea90 TlsGetValue 9539->9562 9541 40ae16 GetLongPathNameW 9540->9541 9542 40ae1d FreeLibrary 9540->9542 9541->9542 9542->9539 9544 401a1e 9544->8593 9545->8596 9546->8600 9563 40ae39 9547->9563 9550 40ad45 9551 40ad54 wcsncpy wcslen 9550->9551 9552 401a7b GetTempFileNameW 9550->9552 9553 40ad88 CreateDirectoryW 9551->9553 9555 40e520 GetLastError TlsGetValue SetLastError 9552->9555 9553->9552 9555->8611 9556->8613 9557->8623 9558->8625 9559->8633 9560->8635 9561->8641 9562->9544 9564 40ae40 9563->9564 9565 401a70 9563->9565 9566 40ae56 DeleteFileW 9564->9566 9567 40ae47 SetFileAttributesW 9564->9567 9565->9550 9566->9565 9567->9566 9568->8654 9570 40afe1 SetCurrentDirectoryW 9569->9570 9571 404759 9569->9571 9570->9571 9571->8663 9572->8741 9573->8775 9574->8683 9575->8694 9577 40e900 3 API calls 9576->9577 9578 40ae87 GetCurrentDirectoryW 9577->9578 9579 40ae97 9578->9579 9645 40ea90 TlsGetValue 9579->9645 9581 403578 9581->8718 9582->8689 9583->8695 9584->8709 9586 40e900 3 API calls 9585->9586 9587 40aecf 9586->9587 9588 40aede LoadLibraryW 9587->9588 9597 40af69 9587->9597 9590 40af4b 9588->9590 9591 40aeef GetProcAddress 9588->9591 9589 40af9b 9652 40ea90 TlsGetValue 9589->9652 9646 40afec SHGetFolderLocation 9590->9646 9594 40af40 FreeLibrary 9591->9594 9595 40af04 9591->9595 9594->9589 9594->9590 9595->9594 9600 40af16 wcscpy wcscat wcslen CoTaskMemFree 9595->9600 9597->9589 9598 40afec 4 API calls 9597->9598 9598->9589 9599 4035d8 9599->8738 9600->9594 9601->8698 9602->8713 9603->8710 9604->8729 9605->8715 9606->8734 9607->8722 9608->8742 9609->8735 9610->8757 9611->8743 9612->8761 9613->8758 9614->8767 9615->8762 9616->8777 9618 409368 CoInitialize 9617->9618 9619 409379 memset LoadLibraryW 9617->9619 9618->9619 9620 4093a3 GetProcAddress GetProcAddress 9619->9620 9621 4094ab 9619->9621 9622 4093d2 wcsncpy wcslen 9620->9622 9623 4093cd 9620->9623 9624 40e900 3 API calls 9621->9624 9625 409401 9622->9625 9623->9622 9626 4094b8 9624->9626 9627 4094d1 3 API calls 9625->9627 9653 40ea90 TlsGetValue 9626->9653 9628 40941f 9627->9628 9630 409588 16 API calls 9628->9630 9632 409442 9630->9632 9631 403772 9631->8789 9633 409588 16 API calls 9632->9633 9634 409457 9633->9634 9635 40949f FreeLibrary 9634->9635 9636 40e900 3 API calls 9634->9636 9635->9621 9635->9626 9637 409468 CoTaskMemFree wcslen 9636->9637 9637->9635 9639 409493 9637->9639 9639->9635 9641 4056e1 timeBeginPeriod 9640->9641 9642 4056f3 Sleep 9640->9642 9641->9642 9643->8763 9644->8778 9645->9581 9647 40b00b SHGetPathFromIDListW 9646->9647 9648 40af53 wcscat wcslen 9646->9648 9649 40b035 CoTaskMemFree 9647->9649 9650 40b019 wcslen 9647->9650 9648->9589 9649->9648 9650->9649 9651 40b026 9650->9651 9651->9649 9652->9599 9653->9631 9654->8811 9655->8813 9656->8819 9657->8821 9658->8825 9659->8842 9660->8844 9661->8847 9662->8850 9663->8856 9664->8863 9665->8865 9666->8867 9667->8869 9668->8873 9669->8879 9670->8881 9671->8883 9672->8885 9673->8889 9674->8895 9675->8897 9676->8899 9677->8901 9678->8905 9679->8911 9680->8913 9681->8915 9682->8917 9683->8921 9684->8927 9686 40e660 21 API calls 9685->9686 9687 403e43 9686->9687 9688 4051a0 3 API calls 9687->9688 9689 403e4c 9688->9689 9690 405060 2 API calls 9689->9690 9691 403e58 FindResourceW 9690->9691 9692 403f13 9691->9692 9693 403e7b 9691->9693 9815 40e520 GetLastError TlsGetValue SetLastError 9692->9815 9694 402664 26 API calls 9693->9694 9696 403e8a 9694->9696 9698 40477d HeapSize 9696->9698 9697 403f1d 9699 40e6c0 4 API calls 9697->9699 9700 403e97 9698->9700 9701 403f25 9699->9701 9762 4011ef 9700->9762 9816 405170 TlsGetValue 9701->9816 9705 403f2c 9709 40e5f0 HeapFree 9705->9709 9706 403eba 9786 40478d 9706->9786 9707 403edc 9802 40e520 GetLastError TlsGetValue SetLastError 9707->9802 9712 403f43 9709->9712 9711 403ee2 9803 40e520 GetLastError TlsGetValue SetLastError 9711->9803 9715 40e5f0 HeapFree 9712->9715 9718 403a0d 9715->9718 9717 403eea 9804 40a330 9717->9804 9718->8930 9719 403eda 9817 40e750 TlsGetValue 9719->9817 9722 403f00 9723 40e560 3 API calls 9722->9723 9724 403f0a 9723->9724 9814 40a200 HeapFree 9724->9814 9726->8933 9727->8939 9728->8945 9729->8951 9730->8957 9731->8959 9732->8961 9733->8965 9734->8967 9894 406310 9735->9894 9738->8973 9739->8975 9740->8977 9741->8981 9742->8983 9743->8989 9744->8991 9745->9003 9746->9005 9748 405060 2 API calls 9747->9748 9749 4023cb 9748->9749 9750 405060 2 API calls 9749->9750 9751 4023d8 9750->9751 9923 40b330 9751->9923 9755 402403 9756 40b050 11 API calls 9755->9756 9757 402410 9756->9757 9758 40e5f0 HeapFree 9757->9758 9759 402437 9758->9759 9760 40e5f0 HeapFree 9759->9760 9761 402440 9760->9761 9761->9008 9763 4011f7 9762->9763 9763->9763 9764 405060 2 API calls 9763->9764 9765 401210 9764->9765 9818 405700 9765->9818 9768 40a1e0 HeapSize 9769 401225 9768->9769 9770 40e266 4 API calls 9769->9770 9771 401247 9770->9771 9772 40e266 4 API calls 9771->9772 9773 401265 9772->9773 9774 40e266 4 API calls 9773->9774 9775 4014bd 9774->9775 9776 40e266 4 API calls 9775->9776 9777 4014db 9776->9777 9825 40a200 HeapFree 9777->9825 9779 4014e4 9780 40e5f0 HeapFree 9779->9780 9781 4014f4 9780->9781 9782 40e3b9 2 API calls 9781->9782 9783 4014fe 9782->9783 9784 40e3b9 2 API calls 9783->9784 9785 401507 9784->9785 9785->9706 9785->9707 9787 40e660 21 API calls 9786->9787 9788 40479b 9787->9788 9789 405060 2 API calls 9788->9789 9790 4047a7 9789->9790 9791 4047ba 9790->9791 9826 402447 9790->9826 9793 4047cb 9791->9793 9835 40b350 9791->9835 9795 40e5f0 HeapFree 9793->9795 9796 403ed1 9795->9796 9801 40a200 HeapFree 9796->9801 9797 4047dd 9797->9793 9800 40481d 9797->9800 9846 40b630 9797->9846 9799 40b050 11 API calls 9799->9793 9800->9799 9801->9719 9802->9711 9803->9717 9806 40a350 9804->9806 9808 40a3a8 9804->9808 9805 40e900 3 API calls 9807 40a379 9805->9807 9806->9805 9893 40ea90 TlsGetValue 9807->9893 9809 40a403 MultiByteToWideChar 9808->9809 9811 40e900 3 API calls 9809->9811 9813 40a420 MultiByteToWideChar 9811->9813 9812 40a39d 9812->9722 9813->9722 9814->9692 9815->9697 9816->9705 9817->9705 9819 405710 WideCharToMultiByte 9818->9819 9820 40570b 9818->9820 9821 40a220 RtlAllocateHeap 9819->9821 9820->9819 9822 405730 9821->9822 9823 405736 WideCharToMultiByte 9822->9823 9824 401218 9822->9824 9823->9824 9824->9768 9825->9779 9827 405060 2 API calls 9826->9827 9828 402458 9827->9828 9857 40b420 9828->9857 9831 40247f 9833 40e5f0 HeapFree 9831->9833 9832 40b050 11 API calls 9832->9831 9834 402497 9833->9834 9834->9791 9836 40db18 5 API calls 9835->9836 9837 40b365 9836->9837 9838 40b417 9837->9838 9839 40b36f CreateFileW 9837->9839 9838->9797 9840 40b390 CreateFileW 9839->9840 9841 40b3ac 9839->9841 9840->9841 9844 40b3cd 9840->9844 9842 40b3b9 HeapAlloc 9841->9842 9841->9844 9842->9844 9843 40da8a 4 API calls 9845 40b40e 9843->9845 9844->9843 9844->9845 9845->9797 9847 40b695 9846->9847 9848 40b642 9846->9848 9847->9800 9849 40b68d 9848->9849 9850 40dad9 2 API calls 9848->9850 9849->9800 9851 40b65a 9850->9851 9852 40b683 9851->9852 9853 40b672 WriteFile 9851->9853 9854 40b664 9851->9854 9852->9800 9853->9852 9882 40b6a0 9854->9882 9856 40b66c 9856->9800 9860 40b140 9857->9860 9859 40246b 9859->9831 9859->9832 9861 40b158 9860->9861 9862 40db18 5 API calls 9861->9862 9863 40b16f 9862->9863 9864 40b322 9863->9864 9865 40b182 9863->9865 9866 40b1be 9863->9866 9864->9859 9867 40b199 9865->9867 9868 40b19c CreateFileW 9865->9868 9869 40b1c3 9866->9869 9870 40b1fc 9866->9870 9867->9868 9875 40b268 9868->9875 9871 40b1da 9869->9871 9872 40b1dd CreateFileW 9869->9872 9873 40b227 CreateFileW 9870->9873 9870->9875 9871->9872 9872->9875 9874 40b249 CreateFileW 9873->9874 9873->9875 9874->9875 9876 40b2a2 9875->9876 9878 40b28e HeapAlloc 9875->9878 9879 40b2f0 9875->9879 9876->9879 9880 40b2dc SetFilePointer 9876->9880 9877 40da8a 4 API calls 9877->9864 9878->9876 9879->9877 9881 40b301 9879->9881 9880->9879 9881->9859 9883 40b7a7 9882->9883 9884 40b6ba 9882->9884 9883->9856 9885 40b6c0 SetFilePointer 9884->9885 9886 40b6eb 9884->9886 9885->9886 9888 40b0c0 WriteFile 9886->9888 9890 40b6f7 9886->9890 9887 40b727 9887->9856 9889 40b76e 9888->9889 9889->9890 9891 40b775 WriteFile 9889->9891 9890->9887 9892 40b711 memcpy 9890->9892 9891->9856 9892->9856 9893->9812 9895 40631f 9894->9895 9896 406438 9895->9896 9906 4063ae 9895->9906 9897 40e880 TlsGetValue 9896->9897 9898 406442 9897->9898 9899 40645a 9898->9899 9900 40644a _wcsdup 9898->9900 9901 40e880 TlsGetValue 9899->9901 9900->9899 9902 406460 9901->9902 9903 406477 9902->9903 9904 406468 _wcsdup 9902->9904 9905 40e880 TlsGetValue 9903->9905 9904->9903 9907 406480 9905->9907 9908 4063fc wcsncpy 9906->9908 9910 403ad4 9906->9910 9909 406488 _wcsdup 9907->9909 9913 406498 9907->9913 9908->9906 9909->9913 9910->8970 9911 40e900 3 API calls 9912 406520 9911->9912 9914 406572 wcsncpy 9912->9914 9915 406526 9912->9915 9916 40658d 9912->9916 9913->9911 9914->9916 9917 4065e4 9915->9917 9918 4065db free 9915->9918 9916->9915 9922 406625 wcsncpy 9916->9922 9919 4065f7 9917->9919 9920 4065eb free 9917->9920 9918->9917 9919->9910 9921 4065fe free 9919->9921 9920->9919 9921->9910 9922->9916 9924 40b140 15 API calls 9923->9924 9925 4023eb 9924->9925 9925->9757 9926 40b600 9925->9926 9927 40dad9 2 API calls 9926->9927 9928 40b60f 9927->9928 9929 40b623 9928->9929 9932 40b500 9928->9932 9929->9755 9931 40b620 9931->9755 9933 40b5f4 9932->9933 9934 40b514 9932->9934 9933->9931 9934->9933 9935 40b528 9934->9935 9936 40b58d 9934->9936 9937 40b560 9935->9937 9938 40b538 9935->9938 9950 40b7b0 WideCharToMultiByte 9936->9950 9937->9937 9940 40b56b WriteFile 9937->9940 9943 40b6a0 4 API calls 9938->9943 9940->9931 9941 40b5a7 9942 40b5eb 9941->9942 9944 40b5b7 9941->9944 9945 40b5c8 WriteFile 9941->9945 9942->9931 9946 40b55a 9943->9946 9947 40b6a0 4 API calls 9944->9947 9948 40b5dc HeapFree 9945->9948 9946->9931 9949 40b5c2 9947->9949 9948->9942 9949->9948 9951 40b7d5 HeapAlloc 9950->9951 9952 40b80e 9950->9952 9953 40b809 9951->9953 9954 40b7ec WideCharToMultiByte 9951->9954 9952->9941 9953->9941 9954->9953 9955->9037 9956->9039 9957->9060 9958->9069 9959->9048 9961 4024a3 9960->9961 9961->9961 9962 40e660 21 API calls 9961->9962 9963 4024b5 9962->9963 9964 4051a0 3 API calls 9963->9964 9984 4024be 9964->9984 9965 40253f 10026 40e520 GetLastError TlsGetValue SetLastError 9965->10026 9967 402545 10027 40e520 GetLastError TlsGetValue SetLastError 9967->10027 9969 40254d GetCommandLineW 9971 40a240 4 API calls 9969->9971 9970 405dc0 3 API calls 9970->9984 9972 40255a 9971->9972 9974 40e560 3 API calls 9972->9974 9973 40e560 TlsGetValue RtlAllocateHeap RtlReAllocateHeap 9973->9984 9975 402564 9974->9975 10028 40e520 GetLastError TlsGetValue SetLastError 9975->10028 9976 40e520 GetLastError TlsGetValue SetLastError 9976->9984 9978 40256e 9979 40e6c0 4 API calls 9978->9979 9980 402576 9979->9980 9982 40e560 3 API calls 9980->9982 9981 40e6c0 wcslen TlsGetValue HeapReAlloc HeapReAlloc 9981->9984 9983 402580 PathRemoveArgsW 9982->9983 9985 402597 9983->9985 9984->9965 9984->9970 9984->9973 9984->9976 9984->9981 9986 4025fd 9985->9986 10029 40e520 GetLastError TlsGetValue SetLastError 9985->10029 9988 4099a5 SetEnvironmentVariableW 9986->9988 9990 40260a 9988->9990 9989 4025a9 9991 40e6c0 4 API calls 9989->9991 10042 40e520 GetLastError TlsGetValue SetLastError 9990->10042 9993 4025b6 9991->9993 10030 40e520 GetLastError TlsGetValue SetLastError 9993->10030 9994 402614 9996 40e6c0 4 API calls 9994->9996 9998 40261c 9996->9998 9997 4025bc 10031 40e520 GetLastError TlsGetValue SetLastError 9997->10031 10043 405170 TlsGetValue 9998->10043 10001 4025c4 10032 40e520 GetLastError TlsGetValue SetLastError 10001->10032 10002 402623 10004 40e5f0 HeapFree 10002->10004 10006 40263b 10004->10006 10005 4025cc 10033 40e520 GetLastError TlsGetValue SetLastError 10005->10033 10008 40e5f0 HeapFree 10006->10008 10011 402644 10008->10011 10009 4025d4 10034 406110 10009->10034 10025->9049 10026->9967 10027->9969 10028->9978 10029->9989 10030->9997 10031->10001 10032->10005 10033->10009 10042->9994 10043->10002 10056->9089 10220->9196 10221->9200 10222->9195 10223->9199 10224->9203 10225->9207 10226->9211 10459->7949 10460->7951 10461->7953 10462->7955 10463->7959 10464->7965 10465->7967 10466->7969 10467->7971 10468->7975 10469->7983 10470->7989 10471->7991 10472->7998 10473->8000 10474->8002 10475->8004 10476->8008 10477->8014 10478->8016 10479->8018 10480->8020 10481->8024 10482->8030 10483->8036 10484->8042 10485->8044 10486->8050 10487->8056 10728 402e03 10729 40e660 21 API calls 10728->10729 10730 402e09 10729->10730 10731 40ab74 5 API calls 10730->10731 10732 402e14 10731->10732 10741 40e520 GetLastError TlsGetValue SetLastError 10732->10741 10734 402e1a 10742 40e520 GetLastError TlsGetValue SetLastError 10734->10742 10736 402e22 10737 40a240 4 API calls 10736->10737 10738 402e2d 10737->10738 10739 40e560 3 API calls 10738->10739 10740 402e3c 10739->10740 10741->10734 10742->10736 10773 406289 10774 406290 10773->10774 10774->10774 10777 40ea90 TlsGetValue 10774->10777 10776 4062b5 10777->10776 10488 40b6a0 10489 40b7a7 10488->10489 10490 40b6ba 10488->10490 10491 40b6c0 SetFilePointer 10490->10491 10492 40b6eb 10490->10492 10491->10492 10494 40b0c0 WriteFile 10492->10494 10496 40b6f7 10492->10496 10493 40b727 10495 40b76e 10494->10495 10495->10496 10497 40b775 WriteFile 10495->10497 10496->10493 10498 40b711 memcpy 10496->10498

          Executed Functions

          Function 0040ADD6 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40libraryloaderCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
            • Part of subcall function 0040E900: HeapReAlloc.KERNEL32(020C0000,00000000,?,?), ref: 0040E967
          • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000), ref: 0040ADED
          • LoadLibraryW.KERNEL32(Kernel32.DLL,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040ADFA
          • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040AE0C
          • GetLongPathNameW.KERNELBASE(00000000,00000000,00000104,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000), ref: 0040AE19
          • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00401A1E,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040AE1E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: LibraryPath$AddressAllocFreeHeapLoadLongNameProcTempValue
          • String ID: GetLongPathNameW$Kernel32.DLL
          • API String ID: 820969696-2943376620
          • Opcode ID: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
          • Instruction ID: e37525813661028bcc8eb249af8eccfe35d88e27d7fdedfae3674fb0e28627f1
          • Opcode Fuzzy Hash: d689e7c6ef715de522d1227690b0767884cdf769d34ed9e685d0497adf4c9375
          • Instruction Fuzzy Hash: FAF082722452547FC3216BB6AC8CEEB3EACDF86755300443AF905E2251EA7C5D2086BD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409A1F Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 395memorypipesynchronizationCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 409a1f-409a88 memset 1 409a9a-409a9b 0->1 2 409a8a-409a98 0->2 3 409aa3-409aac 1->3 2->3 4 409ad5-409ad8 3->4 5 409aae-409ab7 3->5 7 409b20-409b29 4->7 8 409ada-409add 4->8 5->4 6 409ab9-409abe 5->6 6->4 12 409ac0-409ad3 6->12 10 409bbb-409bc3 7->10 11 409b2f-409b32 7->11 8->7 9 409adf-409af5 CreatePipe 8->9 9->7 13 409af7-409b15 call 4099c7 9->13 14 409bc5-409bd2 10->14 15 409c07-409c15 10->15 16 409b34-409b4a CreatePipe 11->16 17 409b75-409b78 11->17 18 409b1d 12->18 13->18 20 409bd4-409bd8 GetStdHandle 14->20 21 409bdf-409be6 14->21 22 409c17 15->22 23 409c19-409c20 15->23 16->17 24 409b4c-409b6d call 4099c7 16->24 17->10 25 409b7a-409b90 CreatePipe 17->25 18->7 20->21 27 409bf3-409bfa 21->27 28 409be8-409bec GetStdHandle 21->28 22->23 30 409c22 23->30 31 409c29-409c62 wcslen * 2 HeapAlloc 23->31 24->17 25->10 32 409b92-409bb3 call 4099c7 25->32 27->15 33 409bfc-409c00 GetStdHandle 27->33 28->27 30->31 35 409c64-409c84 wcscpy wcscat * 2 31->35 36 409c86-409c8e wcscpy 31->36 32->10 33->15 38 409c8f-409c9b 35->38 36->38 40 409cba-409cc3 38->40 41 409c9d-409cb8 wcscat * 2 38->41 42 409cd5-409cf2 CreateProcessW 40->42 43 409cc5-409cce 40->43 41->40 44 409cf8-409d02 42->44 45 409d9e-409da8 42->45 43->42 48 409d04-409d08 CloseHandle 44->48 49 409d0a-409d0e 44->49 46 409db0-409db4 45->46 47 409daa-409dae CloseHandle 45->47 50 409db6-409dba CloseHandle 46->50 51 409dbc-409dc0 46->51 47->46 48->49 52 409d10-409d14 CloseHandle 49->52 53 409d16-409d1a 49->53 50->51 54 409dc2-409dc6 CloseHandle 51->54 55 409dc8-409dcc 51->55 52->53 56 409d22-409d32 CloseHandle 53->56 57 409d1c-409d20 CloseHandle 53->57 54->55 58 409dd4-409dd8 55->58 59 409dce-409dd2 CloseHandle 55->59 60 409d40-409d44 56->60 61 409d34-409d3a WaitForSingleObject 56->61 57->56 62 409de0-409de4 58->62 63 409dda-409dde CloseHandle 58->63 59->58 64 409d93-409d99 CloseHandle 60->64 65 409d46-409d8e EnterCriticalSection call 40e1f2 LeaveCriticalSection 60->65 61->60 67 409de6-409dea CloseHandle 62->67 68 409dec-409df4 62->68 63->62 66 409f27-409f29 64->66 70 409f2a 65->70 66->70 67->68 68->70 71 409dfa-409e01 68->71 73 409f2c-409f49 HeapFree 70->73 74 409e03-409e12 wcslen 71->74 75 409e47-409ebb memset ShellExecuteExW 71->75 74->75 77 409e14-409e18 74->77 75->70 76 409ebd-409ec7 75->76 80 409ed8-409edc 76->80 81 409ec9-409ed2 WaitForSingleObject 76->81 78 409e21-409e23 77->78 79 409e1a-409e1f 77->79 78->75 82 409e25-409e42 wcscpy 78->82 79->77 79->78 83 409f1e-409f25 CloseHandle 80->83 84 409ede-409f1c EnterCriticalSection call 40e1f2 LeaveCriticalSection 80->84 81->80 82->75 83->66 84->73
          APIs
          • memset.MSVCRT ref: 00409A69
          • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409AF1
          • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B46
          • CreatePipe.KERNEL32(?,?,?,00000000,?,?,00000000,00000000,00404626,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00409B8C
          • GetStdHandle.KERNEL32(000000F6), ref: 00409BD6
          • GetStdHandle.KERNEL32(000000F5), ref: 00409BEA
          • GetStdHandle.KERNEL32(000000F4), ref: 00409BFE
          • wcslen.MSVCRT ref: 00409C2A
          • wcslen.MSVCRT ref: 00409C38
          • HeapAlloc.KERNEL32(00000000,00000000), ref: 00409C52
          • wcscpy.MSVCRT ref: 00409C6A
          • wcscat.MSVCRT ref: 00409C71
          • wcscat.MSVCRT ref: 00409C7C
          • wcscpy.MSVCRT ref: 00409C88
          • wcscat.MSVCRT ref: 00409CA3
          • wcscat.MSVCRT ref: 00409CB0
          • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,00000000,?,?,?), ref: 00409CEA
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D08
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D14
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D20
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D26
          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,?,?), ref: 00409D3A
          • EnterCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D4C
          • LeaveCriticalSection.KERNEL32(00418730,?,00000000,?,?,?), ref: 00409D63
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409D97
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DAE
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DBA
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DC6
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DD2
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DDE
          • CloseHandle.KERNEL32(?,?,00000000,?,?,?), ref: 00409DEA
          • wcslen.MSVCRT ref: 00409E04
          • wcscpy.MSVCRT ref: 00409E2A
          • memset.MSVCRT ref: 00409E56
          • ShellExecuteExW.SHELL32 ref: 00409EB3
          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00409ED2
          • EnterCriticalSection.KERNEL32(00418730), ref: 00409EE4
          • LeaveCriticalSection.KERNEL32(00418730), ref: 00409EFB
            • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
            • Part of subcall function 004099C7: GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
            • Part of subcall function 004099C7: DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
            • Part of subcall function 004099C7: CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
          • HeapFree.KERNEL32(00000000,?), ref: 00409F37
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Handle$Close$CreateCriticalSectionwcscat$PipeProcesswcscpywcslen$CurrentEnterHeapLeaveObjectSingleWaitmemset$AllocDuplicateExecuteFreeShell
          • String ID: $0A$x
          • API String ID: 550696126-3693508903
          • Opcode ID: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
          • Instruction ID: 1938edec6f8ec7f018cd84e447521b205a2f1ffc1a01eed9409a43f0bd8935e3
          • Opcode Fuzzy Hash: b00f057bc40639e3ebc36098d4fb4d898885556d00f241ad15d102da0fe35fa9
          • Instruction Fuzzy Hash: 8AE15B71908341AFD321DF24D841B9BBBE4FF84350F148A3FF499A2291DB799944CB9A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401000 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 108memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • memset.MSVCRT ref: 0040100F
          • GetModuleHandleW.KERNEL32(00000000), ref: 0040101C
          • HeapCreate.KERNEL32(00000000,00001000,00000000,00000000), ref: 00401035
            • Part of subcall function 0040E4D0: HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
            • Part of subcall function 0040E4D0: TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
            • Part of subcall function 0040A1C0: HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
            • Part of subcall function 00409669: InitializeCriticalSection.KERNEL32(00418730,00000004,00000004,0040963C,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 00409691
            • Part of subcall function 00408DEE: memset.MSVCRT ref: 00408DFB
            • Part of subcall function 00408DEE: InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
            • Part of subcall function 00408DEE: CoInitialize.OLE32(00000000), ref: 00408E1D
            • Part of subcall function 004053B5: InitializeCriticalSection.KERNEL32(00418708,0040107B,00000000,00001000,00000000,00000000), ref: 004053BA
          • GetStdHandle.KERNEL32(FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040109A
            • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
            • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
            • Part of subcall function 0040A460: HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
            • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000), ref: 0040AA98
            • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AAB1
            • Part of subcall function 0040AA5A: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,?,004010CE,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000), ref: 0040AABB
            • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(00000000,00000034,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9DB
            • Part of subcall function 0040A9C8: HeapAlloc.KERNEL32(FFFFFFF5,00000008,?,?,?,004010E9,00000008,00000000,0041706C,00000007,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A9F0
            • Part of subcall function 0040E266: RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
            • Part of subcall function 0040E266: memset.MSVCRT ref: 0040E2D1
          • SetConsoleCtrlHandler.KERNEL32(00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064,00000008,00000008), ref: 0040116F
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 00401BA0: LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
            • Part of subcall function 00401BA0: EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
            • Part of subcall function 00401BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03
          • ExitProcess.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011B6
          • HeapDestroy.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011C6
          • ExitProcess.KERNEL32(00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 004011CB
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Heap$Alloc$Free$CreateInitializememset$AllocateCriticalErrorExitHandleLastLibraryProcessSectionValue$CommonConsoleControlsCtrlDestroyEnumHandlerInitLoadModuleResourceTypes
          • String ID: .pA$:pA$|pA
          • API String ID: 1974305647-3272395972
          • Opcode ID: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
          • Instruction ID: c3718d3f77f1aa7f822ccfb4f0aafd009571b65037601bc21910cdbb085b96b1
          • Opcode Fuzzy Hash: 11f145e1b951a2c6a28e78b56360a089cdbe7b1a81af6c9d6466caa6387cbb0c
          • Instruction Fuzzy Hash: 77313271680704A9E200B7B39C47F9E3A18AB1874CF11883FB744790E3DEBC55584A6F
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040196C Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 168COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
          • GetTempFileNameW.KERNEL32(?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404519), ref: 00401A3B
          • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024,00000000,00000000,?,00000000,00000000,00000400,00000000), ref: 00401A90
          • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AE5
          • PathAddBackslashW.SHLWAPI(00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,?,00417024), ref: 00401AF0
          • PathRenameExtensionW.SHLWAPI(?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000), ref: 00401B2F
          • GetTempFileNameW.KERNEL32(00417024,00000000,00000000,?,00000000,?,00000000,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00417024), ref: 00401B49
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
            • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: FileNameTemp$Value$AllocateErrorHeapLastPath$BackslashExtensionRenamewcslen
          • String ID: $pA$$pA$$pA$$pA
          • API String ID: 368575804-1531182785
          • Opcode ID: 417cfe909ad584d3d84b117594ea6d6ab06f79ec2e3b7b64df38e28ad1b69bb8
          • Instruction ID: 7226354e244135f3a7293121bd0c5faf706f4cf1cd60fca57ba481f11b9cb304
          • Opcode Fuzzy Hash: 417cfe909ad584d3d84b117594ea6d6ab06f79ec2e3b7b64df38e28ad1b69bb8
          • Instruction Fuzzy Hash: 3D510F71104304BED600BBB2DC42E7F7A6DEB84308F018C3FB540A50E2EA3D99655A6E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B140 Relevance: 9.2, APIs: 6, Instructions: 157filememoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 241 40b140-40b156 242 40b160-40b173 call 40db18 241->242 243 40b158 241->243 246 40b322-40b32b 242->246 247 40b179-40b180 242->247 243->242 248 40b182-40b18a 247->248 249 40b1be-40b1c1 247->249 250 40b191-40b197 248->250 251 40b18c 248->251 252 40b1c3-40b1cb 249->252 253 40b1fc-40b1ff 249->253 254 40b199 250->254 255 40b19c-40b1b9 CreateFileW 250->255 251->250 256 40b1d2-40b1d8 252->256 257 40b1cd 252->257 258 40b201-40b20d 253->258 259 40b268 253->259 254->255 260 40b26c-40b26f 255->260 261 40b1da 256->261 262 40b1dd-40b1fa CreateFileW 256->262 257->256 263 40b218-40b21e 258->263 264 40b20f-40b214 258->264 259->260 267 40b275-40b277 260->267 268 40b30b 260->268 261->262 262->260 265 40b220-40b223 263->265 266 40b227-40b247 CreateFileW 263->266 264->263 265->266 266->267 269 40b249-40b266 CreateFileW 266->269 267->268 271 40b27d-40b284 267->271 270 40b30f-40b312 268->270 269->260 272 40b314 270->272 273 40b316-40b31d call 40da8a 270->273 274 40b2a2 271->274 275 40b286-40b28c 271->275 272->273 273->246 278 40b2a5-40b2d2 274->278 275->274 277 40b28e-40b2a0 HeapAlloc 275->277 277->278 279 40b2f0-40b2f9 278->279 280 40b2d4-40b2da 278->280 282 40b2fb 279->282 283 40b2fd-40b2ff 279->283 280->279 281 40b2dc-40b2ea SetFilePointer 280->281 281->279 282->283 283->270 284 40b301-40b30a 283->284
          APIs
          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1B1
          • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B1F2
          • CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00000000,00000000), ref: 0040B23C
          • CreateFileW.KERNEL32(?,40000000,?,00000000,00000005,00000000,00000000,?,?,?,00000000,00000000), ref: 0040B25E
          • HeapAlloc.KERNEL32(00000000,00001000,?,?,?,?,00000000,00000000), ref: 0040B297
          • SetFilePointer.KERNEL32(?,00000000,?,00000002), ref: 0040B2EA
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: File$Create$AllocHeapPointer
          • String ID:
          • API String ID: 4207849991-0
          • Opcode ID: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
          • Instruction ID: 8d8b4ccba24edc48a090e0818cc57ca2d498b7de68d829e88f81714118269cc7
          • Opcode Fuzzy Hash: 1dd6c58127759367adb822d4a0e0d9138a9c495b34507b1400e0ba0402d2ad51
          • Instruction Fuzzy Hash: D251B171244301ABE3208E15DC49B6BBAE5EB44764F24493EFD81A63E0D779E8458B8D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040DE99 Relevance: 7.6, APIs: 5, Instructions: 106memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 285 40de99-40deb8 286 40deba-40debc 285->286 287 40debe-40dec0 285->287 286->287 288 40df72-40df85 RtlAllocateHeap 287->288 289 40dec6-40dee9 call 40e0c3 EnterCriticalSection 287->289 291 40df87-40dfa5 288->291 292 40dfbd-40dfc3 288->292 296 40def7-40def9 289->296 294 40dfb0-40dfb7 InitializeCriticalSection 291->294 295 40dfa7-40dfa9 291->295 294->292 295->294 297 40dfab-40dfae 295->297 298 40deeb-40deee 296->298 299 40defb 296->299 297->292 300 40def0-40def3 298->300 301 40def5 298->301 302 40df07-40df1b HeapAlloc 299->302 300->301 305 40defd-40df05 300->305 301->296 303 40df65-40df70 LeaveCriticalSection 302->303 304 40df1d-40df38 call 40de99 302->304 303->292 304->303 308 40df3a-40df5a 304->308 305->302 305->303 309 40df5c 308->309 310 40df5f 308->310 309->310 310->303
          APIs
          • EnterCriticalSection.KERNEL32(00418684,0041867C,0040E062,00000000,FFFFFFED,00000200,77435E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DEDA
          • HeapAlloc.KERNEL32(00000000,00000018,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040DF11
          • LeaveCriticalSection.KERNEL32(00418684,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DF6A
          • RtlAllocateHeap.NTDLL(00000000,00000038,00000000,FFFFFFED,00000200,77435E70,0040A4F6,FFFFFFED,00000010,00010000,00000004,00000200), ref: 0040DF7B
          • InitializeCriticalSection.KERNEL32(00000020,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040DFB7
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalSection$Heap$AllocAllocateEnterInitializeLeave
          • String ID:
          • API String ID: 1272335518-0
          • Opcode ID: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
          • Instruction ID: e12e1174ac54fca87ec7e67201d5359a366fc17122bfc308660e030bf91fb77e
          • Opcode Fuzzy Hash: d472077d75a53df2d0dde7d61b18959a765d34bb65c31e97d0a70733ac938e24
          • Instruction Fuzzy Hash: 90318D71940B069BC3208F95D844A52FBF0FB44720B19C93EE446A77A0DB78E908CB99
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403F53 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 571COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 311 403f53-403f54 312 403f59-403f64 311->312 312->312 313 403f66-403f7c call 40e660 312->313 316 403f7e-403f86 313->316 317 403f88-403fea call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 316->317 318 403fec-403ffd 316->318 317->316 317->318 320 403fff-404007 318->320 322 404009-40406b call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 320->322 323 40406d-40407e 320->323 322->320 322->323 326 404080-404088 323->326 329 40408a-4040ec call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 326->329 330 4040ee-4040ff 326->330 329->326 329->330 331 404101-404109 330->331 336 40410b-40416d call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 331->336 337 40416f-404180 331->337 336->331 336->337 343 404182-40418a 337->343 349 4041f0-404201 343->349 350 40418c-4041e6 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 343->350 356 404203-40420b 349->356 469 4041eb-4041ee 350->469 362 404275-404286 356->362 363 40420d-404273 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 356->363 370 404288-404290 362->370 363->356 363->362 377 404292-4042f8 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 370->377 378 4042fa-40430b 370->378 377->370 377->378 386 40430d-404315 378->386 394 404317-404375 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 386->394 395 40437f-404390 386->395 496 40437a-40437d 394->496 404 404392-40439a 395->404 405 404404-4045ee call 40e520 call 40e6c0 * 2 call 40e560 call 40e520 call 403221 call 40e560 call 40985e GetModuleHandleW call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 40e520 * 4 call 40d780 call 405182 call 405eb0 call 40e560 call 402e49 call 40e520 call 402150 call 4051a0 call 40196c call 40469c call 40e520 call 405100 call 403539 call 40e560 PathRemoveBackslashW call 402068 call 40e520 * 2 call 402ba6 call 40e720 call 405182 call 4099a5 call 4051a0 call 40e520 call 40e6c0 * 2 call 40e560 call 403801 call 40e520 call 401e66 call 40e560 404->405 406 40439c-404402 call 40e520 * 2 call 405dc0 call 40e560 call 40e520 call 40e6c0 * 2 call 40e560 404->406 587 4045f0-404606 call 40548c 405->587 588 404608-40460c call 402c55 405->588 406->404 406->405 469->343 469->349 496->386 496->395 592 404611-40469b call 403c83 SetConsoleCtrlHandler call 401fba call 40e5f0 * 9 587->592 588->592
          APIs
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
            • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
          • GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,00000000,?,020C9F70,00000000,00000000), ref: 0040445B
          • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00404554
            • Part of subcall function 00402BA6: GetShortPathNameW.KERNEL32(020C9F70,020C9F70,00002710), ref: 00402BE0
            • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
            • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
            • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNELBASE(020C9F70,020C9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
            • Part of subcall function 00401E66: PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,00000000,00000000,00000000,00000000,-00000004,004045DB,00000000,00000000,00000000,020C9F70,020C8968,00000000,00000000), ref: 00401E9B
          • SetConsoleCtrlHandler.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,020C9F70,020C8968,00000000,00000000,00000000), ref: 00404636
            • Part of subcall function 0040548C: CreateThread.KERNEL32(00000000,00001000,?,?,00000000,020C9F70), ref: 004054A5
            • Part of subcall function 0040548C: EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
            • Part of subcall function 0040548C: WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
            • Part of subcall function 0040548C: CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
            • Part of subcall function 0040548C: LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Value$Path$AllocateCriticalErrorHandleHeapLastSection$BackslashCloseConsoleCreateCtrlEnterEnvironmentHandlerLeaveModuleNameObjectQuoteRemoveShortSingleSpacesThreadVariableWaitwcslen
          • String ID: pA
          • API String ID: 2577741277-3402996844
          • Opcode ID: 5d668cb04b71de2f480a77bc2cc63b906295f5a7c4242ac04163e6f1321037e2
          • Instruction ID: 999f5745f1e250978be3a13d4136388ffeb6a971fca5c6bbec0ef146a0a58392
          • Opcode Fuzzy Hash: 5d668cb04b71de2f480a77bc2cc63b906295f5a7c4242ac04163e6f1321037e2
          • Instruction Fuzzy Hash: 4712FAB5504304BED600BBB29C8197F77BCEB89718F10CC3FB544A6192EA3CD9559B2A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403C83 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 128COMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
          • PathQuoteSpacesW.SHLWAPI(00000000,00000000,020C89E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00404626,00000000,00000000,00000000,?), ref: 00403CE6
            • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
          • PathQuoteSpacesW.SHLWAPI(?,00000000,00000000,0041702A,00000000,00000000,00000000,00000000,020C89E8,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00403D1F
            • Part of subcall function 0040AE75: GetCurrentDirectoryW.KERNEL32(00000104,00000000,00000104,00000000,?,?,0000000A,004037B6,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746), ref: 0040AE8B
            • Part of subcall function 0040E720: TlsGetValue.KERNEL32(0000000D,?,?,00401DDF,00000000,00000000,00000000,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000), ref: 0040E72A
            • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
            • Part of subcall function 004098F7: WaitForSingleObject.KERNEL32(020C9F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044), ref: 00409904
            • Part of subcall function 004098F7: PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,020C9F70,00000000,?,?,?,00403DC7,?,00000000,00000000,00000000,0041702A,?), ref: 00409921
            • Part of subcall function 004056D8: timeBeginPeriod.WINMM(00000001,00403793,00000001,?,00000000,00417024,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000,00000000), ref: 004056E3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Value$AllocateErrorHeapLastPathQuoteSpaces$BeginCurrentDirectoryNamedObjectPeekPeriodPipeSingleWaittimewcslen
          • String ID: *pA$*pA
          • API String ID: 2955313036-2893952571
          • Opcode ID: 8d7ca3d34e552a4b3e4813a4e2a868de4bbf3c1973305ed030a1fd90886de301
          • Instruction ID: 17d0f5624b42dd18ceef5440812bdbba4c8a787aaabb2d2d00a5c22853b10036
          • Opcode Fuzzy Hash: 8d7ca3d34e552a4b3e4813a4e2a868de4bbf3c1973305ed030a1fd90886de301
          • Instruction Fuzzy Hash: 4E41D875104205AAC600BF73DC8293F7669EFD4708F50CD3EB184361E2EA3D9D25AB6A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401BA0 Relevance: 4.7, APIs: 3, Instructions: 233libraryCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 00409698: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
            • Part of subcall function 00409698: wcscmp.MSVCRT ref: 004096C2
            • Part of subcall function 00409698: memmove.MSVCRT ref: 004096DA
            • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0,00000000), ref: 00401BDE
          • EnumResourceTypesW.KERNEL32(00000000,00000000,00000000), ref: 00401BFB
          • FreeLibrary.KERNEL32(?,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,0040119C,004180A0), ref: 00401C03
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Value$ErrorLastLibrary$AllocateEnumFileFreeHeapLoadModuleNameResourceTypesmemmovewcscmpwcslen
          • String ID:
          • API String ID: 983379767-0
          • Opcode ID: daa4a2f45eb59f3489035f7ac704f19fa2d9e105317b1c650053be6a57c9566a
          • Instruction ID: 6d1e308804f6dc32779c3279b2fcfe03024d17212ecc119a6d6b7423f9e5f936
          • Opcode Fuzzy Hash: daa4a2f45eb59f3489035f7ac704f19fa2d9e105317b1c650053be6a57c9566a
          • Instruction Fuzzy Hash: C951D7B66052007AE500BBB39D82D7F626DDBC571CB108C3FB440650E3EA3D9D616A6E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B6A0 Relevance: 4.6, APIs: 3, Instructions: 102COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 846 40b6a0-40b6b4 847 40b7a7-40b7ad 846->847 848 40b6ba-40b6be 846->848 849 40b6c0-40b6e8 SetFilePointer 848->849 850 40b6eb-40b6f5 848->850 849->850 851 40b6f7-40b702 850->851 852 40b768-40b773 call 40b0c0 850->852 853 40b753-40b765 851->853 854 40b704-40b705 851->854 861 40b795-40b7a2 852->861 862 40b775-40b792 WriteFile 852->862 856 40b707-40b70a 854->856 857 40b73c-40b750 854->857 859 40b727-40b739 856->859 860 40b70c-40b70d 856->860 863 40b711-40b724 memcpy 860->863 861->863
          APIs
          • SetFilePointer.KERNELBASE(?,?,?,00000001), ref: 0040B6D8
          • memcpy.MSVCRT ref: 0040B712
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: FilePointermemcpy
          • String ID:
          • API String ID: 1104741977-0
          • Opcode ID: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
          • Instruction ID: c1513f54f6ae5569788c36180188ddc2abd705510cfe10eedfb0010ba837d0d9
          • Opcode Fuzzy Hash: 02d62d909d0369cf033ef3da9330b5dd6b1d06cd86180aa2b8ba7b2c57c5f325
          • Instruction Fuzzy Hash: DA312A3A2047019FC320DF29D844E9BB7E5EFD8714F04882EE59A97750D335E919CBAA
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E560 Relevance: 4.6, APIs: 3, Instructions: 53memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 864 40e560-40e587 TlsGetValue 865 40e5a6-40e5c5 RtlReAllocateHeap 864->865 866 40e589-40e5a4 RtlAllocateHeap 864->866 867 40e5c7-40e5ed call 40ea40 865->867 866->867
          APIs
          • TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
          • RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
          • RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocateHeap$Value
          • String ID:
          • API String ID: 2497967046-0
          • Opcode ID: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
          • Instruction ID: 56fdceb44a62e96a78129ec9cee9786d08dacee7710f0624d62ab86a2b9feb41
          • Opcode Fuzzy Hash: 3c4de4927df5d1280fe3f97ef1b5d41f3313172c187ce59835a5c327154ebcf4
          • Instruction Fuzzy Hash: 6011E974600208FFCB04CF99D894E9ABBB6FF88314F20C569E8099B354D734AA41DB94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AD45 Relevance: 4.5, APIs: 3, Instructions: 41COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 870 40ad45-40ad52 871 40ad54-40ad86 wcsncpy wcslen 870->871 872 40adbd 870->872 874 40ad9e-40ada6 871->874 873 40adbf-40adc2 872->873 875 40ad88-40ad8f 874->875 876 40ada8-40adbb CreateDirectoryW 874->876 877 40ad91-40ad94 875->877 878 40ad9b 875->878 876->873 877->878 879 40ad96-40ad99 877->879 878->874 879->876 879->878
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CreateDirectorywcslenwcsncpy
          • String ID:
          • API String ID: 961886536-0
          • Opcode ID: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
          • Instruction ID: 2d24f661812d06aabf4acf2af4a599dd38efaf3f9e777f7594d650cf82d0c1de
          • Opcode Fuzzy Hash: d6c445466f8a19e48a25e4a2068d10de2bbe29753fac2d082d2e760440aa5e2b
          • Instruction Fuzzy Hash: 9A01DBB0401318D6CB65DB64CC89AFE7379DF04301F6046BBE815E25D1E7389AA4DB4A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00408DEE Relevance: 4.5, APIs: 3, Instructions: 20COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 880 408dee-408e26 memset InitCommonControlsEx CoInitialize
          APIs
          • memset.MSVCRT ref: 00408DFB
          • InitCommonControlsEx.COMCTL32(00000008,00001000), ref: 00408E15
          • CoInitialize.OLE32(00000000), ref: 00408E1D
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CommonControlsInitInitializememset
          • String ID:
          • API String ID: 2179856907-0
          • Opcode ID: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
          • Instruction ID: 955719fea0046c6293a44e32614ed026eb147d3324017d94785fb64326744d49
          • Opcode Fuzzy Hash: d861f93e929e8b2be3fa0307ea6de5ff81dc4c61bc6e7fbf8c72a90690fa8d51
          • Instruction Fuzzy Hash: FDE08CB088430CBBEB009BD0EC0EF8DBB7CEB00315F4041A4F904A2280EBB466488B95
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004099A5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 881 4099a5-4099aa 882 4099c4 881->882 883 4099ac-4099b2 881->883 884 4099b4 883->884 885 4099b9-4099be SetEnvironmentVariableW 883->885 884->885 885->882
          APIs
          • SetEnvironmentVariableW.KERNELBASE(020C9F70,020C9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: EnvironmentVariable
          • String ID: $0A
          • API String ID: 1431749950-513306843
          • Opcode ID: c92aad9fdd5c3c8ab1daeb637eb2d23f1451a042da96c25929af1641449dc86f
          • Instruction ID: aa531fc2ff4271b490b4da26c39a2883f909eecf40e951fe565ba9eea3f0378e
          • Opcode Fuzzy Hash: c92aad9fdd5c3c8ab1daeb637eb2d23f1451a042da96c25929af1641449dc86f
          • Instruction Fuzzy Hash: 36C012B0204201ABD710CA04CD04B67BBE4EB50345F00C43EB184913B1C338CC40DB05
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B440 Relevance: 3.1, APIs: 2, Instructions: 65memoryfileCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 886 40b440-40b459 call 40db18 889 40b4ee-40b4f3 886->889 890 40b45f-40b47e CreateFileW 886->890 891 40b480-40b482 890->891 892 40b4d2-40b4d5 890->892 891->892 895 40b484-40b48b 891->895 893 40b4d7 892->893 894 40b4d9-40b4e0 call 40da8a 892->894 893->894 900 40b4e5-40b4eb 894->900 897 40b4a0 895->897 898 40b48d-40b49e HeapAlloc 895->898 899 40b4a3-40b4ca 897->899 898->899 901 40b4cc 899->901 902 40b4ce-40b4d0 899->902 901->902 902->892 902->900
          APIs
            • Part of subcall function 0040DB18: EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
            • Part of subcall function 0040DB18: LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
          • CreateFileW.KERNELBASE(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000), ref: 0040B473
          • HeapAlloc.KERNEL32(00000000,00001000,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B495
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalSection$AllocCreateEnterFileHeapLeave
          • String ID:
          • API String ID: 3705299215-0
          • Opcode ID: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
          • Instruction ID: 11d32f41a61cd8df30a66e4113f3bfff31ba723ad3a0b0249673477e2beeffa2
          • Opcode Fuzzy Hash: 770ca6dcf0c78f014627849ec7c08e1bba775e026bf20b1c3eb2924782468709
          • Instruction Fuzzy Hash: 62119371200304ABC2305F1ADC44B57BBF8EBC5764F14823EF565A37E1C77599158BA8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E266 Relevance: 3.1, APIs: 2, Instructions: 61memoryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E3B9: HeapFree.KERNEL32(00000000,-00000018,00000200,00000000,0040E277,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004), ref: 0040E3FA
          • RtlAllocateHeap.NTDLL(00000000,FFFFFFDD,?,00000200,?,?,?,0040112D,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040E296
          • memset.MSVCRT ref: 0040E2D1
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Heap$AllocateFreememset
          • String ID:
          • API String ID: 2774703448-0
          • Opcode ID: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
          • Instruction ID: 6d5d9c53e9755405ffb3e8ab18b4b48e318f9db4ecaa07005482283559b0ef73
          • Opcode Fuzzy Hash: e4601c40af4f90fd6d7b6dc76b08f4e14a7cbeae79d3d170558c75ed44b030ef
          • Instruction Fuzzy Hash: 5D117F72504314ABC320DF0AD944A4BBBE8EF88710F01492EF988A7351D774ED108BA5
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B050 Relevance: 3.0, APIs: 2, Instructions: 31memoryCOMMON
          Download Yara Rule
          APIs
          • HeapFree.KERNEL32(00000000,?,00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000), ref: 0040B093
          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00403394,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000,00000800), ref: 0040B09B
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ChangeCloseFindFreeHeapNotification
          • String ID:
          • API String ID: 1642550653-0
          • Opcode ID: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
          • Instruction ID: 7abf06afc9ef833db34d05f69b67e4dbbe1385027aa9b24abf0250c41048a97e
          • Opcode Fuzzy Hash: bcdd82019f876fc489b22f42e5959096ccfe265fa7cf8be21467e7666472b7d6
          • Instruction Fuzzy Hash: 1AF08C32505110ABC6322B6AEC09E8BBA72EF81724F148A3FF125314F4CB794850DF9C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401FBA Relevance: 3.0, APIs: 2, Instructions: 26COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
          • RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00402011
          • RemoveDirectoryW.KERNEL32(00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 0040201C
            • Part of subcall function 004053C1: WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002,00000000), ref: 004053D1
            • Part of subcall function 00405430: TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
            • Part of subcall function 00405430: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
            • Part of subcall function 00405430: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalDirectoryRemoveSection$EnterLeaveObjectSingleTerminateThreadValueWait
          • String ID:
          • API String ID: 1205394408-0
          • Opcode ID: 80bbef749e469d8075b69d7c5fbc03918b8729a07b9c497950af765b831500ca
          • Instruction ID: d40c1fb095c70f871a48011b079aac708deae745ba771cefaa1841cdafdcac49
          • Opcode Fuzzy Hash: 80bbef749e469d8075b69d7c5fbc03918b8729a07b9c497950af765b831500ca
          • Instruction Fuzzy Hash: 72F0C034454604ABCA117B72FC82D5B3E6AEB1434CB05893EF544700B2CF3A5869AA5E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AE39 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
          Download Yara Rule
          APIs
          • SetFileAttributesW.KERNEL32(00000002,00000080,0040AE72,020C9F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000), ref: 0040AE50
          • DeleteFileW.KERNELBASE(00000000,0040AE72,020C9F70,00000000,00401FF0,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040AE5A
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: File$AttributesDelete
          • String ID:
          • API String ID: 2910425767-0
          • Opcode ID: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
          • Instruction ID: 9bbbf45483326d305172a49cd8f3e34a401707f8027ad8c24340846d3084d85d
          • Opcode Fuzzy Hash: 856d1dee773f9fe4b81d39230ef639874c988cfb4423ff7bdc63b5e612766022
          • Instruction Fuzzy Hash: 36D09E30488300BBD7555B20DD0D75B7EA16F90745F08CC79B585610F1C7788C64EB4A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E4D0 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
          Download Yara Rule
          APIs
          • HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4DC
          • TlsAlloc.KERNEL32(?,00401053,00000000,00001000,00000000,00000000), ref: 0040E4E7
            • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(020C0000,00000000,0000000C,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED4E
            • Part of subcall function 0040ED40: HeapAlloc.KERNEL32(020C0000,00000000,00000010,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED62
            • Part of subcall function 0040ED40: TlsSetValue.KERNEL32(0000000D,00000000,?,?,0040E4F7,?,00401053,00000000,00001000,00000000,00000000), ref: 0040ED8B
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocHeap$CreateValue
          • String ID:
          • API String ID: 493873155-0
          • Opcode ID: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
          • Instruction ID: 280f0189a1b64710240dfbe11500258ab370f1237584088fdcd0bc4150eb2939
          • Opcode Fuzzy Hash: db5b467741c0f00c93d1fd6ff26af59c18c3d1bccb059c91a176208ebbe690b4
          • Instruction Fuzzy Hash: F1D012705C83046BE7002BB2BC4A7843A78DB04751F20843AFA095B3D0DAB45480895D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E500 Relevance: 3.0, APIs: 2, Instructions: 10memoryCOMMON
          Download Yara Rule
          APIs
          • HeapDestroy.KERNELBASE(020C0000,?,004011C0,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007), ref: 0040E509
          • TlsFree.KERNELBASE(0000000D,?,004011C0,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007), ref: 0040E516
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: DestroyFreeHeap
          • String ID:
          • API String ID: 3293292866-0
          • Opcode ID: 875c8584e72ba4f9f6744ae97eca28bebe5277f14eb27a090d40f9eb6c4fb1f8
          • Instruction ID: d3e7c01ca3d7982612482afa56f4a58b9e79d24a02adeb1917deb37a1309afc3
          • Opcode Fuzzy Hash: 875c8584e72ba4f9f6744ae97eca28bebe5277f14eb27a090d40f9eb6c4fb1f8
          • Instruction Fuzzy Hash: D8C04C71158208ABCB049BA8FD488D63BBDE7486013448578B50D837A1DA75E840CB58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402BA6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
            • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
          • GetShortPathNameW.KERNEL32(020C9F70,020C9F70,00002710), ref: 00402BE0
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 0040A200: HeapFree.KERNEL32(00000000,00000000,00401B7C,00000000,00000000,?,00000000,00000000,00417024,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040A20C
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
            • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
            • Part of subcall function 0040E5F0: HeapFree.KERNEL32(020C0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: HeapValue$AllocateErrorFreeLast$NamePathShortwcslen
          • String ID:
          • API String ID: 192546213-0
          • Opcode ID: f052a35f039049b8e927063d295d98a1685d0b83d51531e0627689d3041be432
          • Instruction ID: cfcced4fe20ace1cb9c77e507b1d6c1eac9b345b0de8df7ff04b6d7fabcc8d03
          • Opcode Fuzzy Hash: f052a35f039049b8e927063d295d98a1685d0b83d51531e0627689d3041be432
          • Instruction Fuzzy Hash: ED012975108205BAE501BB72DD06D3F7669EF80718F108C3EB444B50E2EA3D9C616A2E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B0C0 Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON
          Download Yara Rule
          APIs
          • WriteFile.KERNELBASE(00000000,?,?,00000000,00000000,00000000,?,0040B088,00000000,00000000,?,?,00403394,00000000,00000000,00000800), ref: 0040B0E7
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: FileWrite
          • String ID:
          • API String ID: 3934441357-0
          • Opcode ID: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
          • Instruction ID: 9ab85608ef899c62796374e569d53c100cb89dcb0d5a9370bd5502097d7715ab
          • Opcode Fuzzy Hash: c522352010aa0ffdeb1c8550a8e7d9d94415fd1ef62632f4db173a1ec829df8d
          • Instruction Fuzzy Hash: F4F0F276104601AFD320CF58D808B87FBE8EB48321F00C82EE59AC2A50C730E810DB55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402B6D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
          Download Yara Rule
          APIs
          • GetNativeSystemInfo.KERNEL32(00000000,?,00000000,00000000), ref: 00402B89
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: InfoNativeSystem
          • String ID:
          • API String ID: 1721193555-0
          • Opcode ID: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
          • Instruction ID: 9093739e4f63ff22c3e940b982bbbee8e150dd58fd9266ea6ee1473296d97692
          • Opcode Fuzzy Hash: 700b71109f0c023e3e1c18d21fddf158996dc8241789cbbab02419d6e0a745b1
          • Instruction Fuzzy Hash: EBD0C26041810846D710BE658509B9B73E8D700304F608C3AE084961C1F3FCE9D5821B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409F4C Relevance: 1.5, APIs: 1, Instructions: 13COMMON
          Download Yara Rule
          APIs
          • GetExitCodeProcess.KERNELBASE(020C9F70,00000000), ref: 00409F5D
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CodeExitProcess
          • String ID:
          • API String ID: 3861947596-0
          • Opcode ID: 715b6f65d563b86cc3bdca33aaaaf00355598db4e158a89ac330bb58c24c5061
          • Instruction ID: 3777f5150e176a53f53c72294df7b811d779eaf56e205e5e018731d595f7ee1c
          • Opcode Fuzzy Hash: 715b6f65d563b86cc3bdca33aaaaf00355598db4e158a89ac330bb58c24c5061
          • Instruction Fuzzy Hash: 97D0927A91410CFBCB00CB84D945AD9B7FCEB09351F5041A5E904D3210DA35AE14ABA9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A220 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON
          Download Yara Rule
          APIs
          • RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocateHeap
          • String ID:
          • API String ID: 1279760036-0
          • Opcode ID: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
          • Instruction ID: b6192ce9428b1ba2f4eef992fd110c0ccadf60e3b61bfdacf1c665f796a5839f
          • Opcode Fuzzy Hash: c9295373328ff73b20fc6ca55934024a7e081ff9ecf7500422664bd763381941
          • Instruction Fuzzy Hash: 97C04C713442006AE6509B24DE09F5776A9BB70742F00C43A7545D11B4DA31D860D72D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040D944 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
          Download Yara Rule
          APIs
          • TlsFree.KERNELBASE(004011E9,004011BB,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 0040D961
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Free
          • String ID:
          • API String ID: 3978063606-0
          • Opcode ID: 15811b3f4bfa737b04153fc01c2ce6e2fcfebc8c37dca603a4479fd71a9de331
          • Instruction ID: 46558f9b80a24c5afc9091c09e7b4622d133e72bbd02e604b330f91c0f3fc2b8
          • Opcode Fuzzy Hash: 15811b3f4bfa737b04153fc01c2ce6e2fcfebc8c37dca603a4479fd71a9de331
          • Instruction Fuzzy Hash: 15C0487080A200EEEF26ABA4ED0C7E13A71B34430AF84847A9005615F0EB78088CDB8C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A1C0 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON
          Download Yara Rule
          APIs
          • HeapCreate.KERNELBASE(00000000,00001000,00000000,0040106C,00000000,00001000,00000000,00000000), ref: 0040A1C9
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CreateHeap
          • String ID:
          • API String ID: 10892065-0
          • Opcode ID: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
          • Instruction ID: 5a0dfe59a05c5f03c374f6d2b2c7d0e1199ed08054282bce4923ddabcda8d052
          • Opcode Fuzzy Hash: 632f7ef1fd3851381c9f94796d2a32ace23046017034c32eb606c36269a48e04
          • Instruction Fuzzy Hash: 10B012702C43005AF2500B209C0AB8039609304B43F304024B2015A1D4CAF01080852C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040993E Relevance: 1.5, APIs: 1, Instructions: 5COMMON
          Download Yara Rule
          APIs
          • TerminateProcess.KERNELBASE(00000000,000000FF,00403DE2,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000,?,00000000), ref: 00409946
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ProcessTerminate
          • String ID:
          • API String ID: 560597551-0
          • Opcode ID: 81ec7d1a7ecaba98e0bd38f101adc261472a3716388094779b9fbb69d1566738
          • Instruction ID: 6c9933f8183c3cf90a70a052d5255c7038314b529614842de31663aab6e25bc5
          • Opcode Fuzzy Hash: 81ec7d1a7ecaba98e0bd38f101adc261472a3716388094779b9fbb69d1566738
          • Instruction Fuzzy Hash: DCB0127120C000BFCA00CB08CE04C057BB1AB513307108360B134410F4CB305814DB05
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A1B0 Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON
          Download Yara Rule
          APIs
          • HeapDestroy.KERNELBASE(004011EE,004011BB,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 0040A1B6
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: DestroyHeap
          • String ID:
          • API String ID: 2435110975-0
          • Opcode ID: 5b23630fc93442f681a8b5ff80044f68663a3a9fb33361d4051a1176eb808dd7
          • Instruction ID: c9db44b6d67b1d9878fbeffb7de266838096d73083f09c44833cc4f7101008e2
          • Opcode Fuzzy Hash: 5b23630fc93442f681a8b5ff80044f68663a3a9fb33361d4051a1176eb808dd7
          • Instruction Fuzzy Hash: 30900270504000CBDF015B25EF0C4843E75E74030131091F59019400B1CA314451DA0C
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 00402664 Relevance: 4.5, APIs: 3, Instructions: 25COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
          • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000), ref: 00402675
          • SizeofResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402685
            • Part of subcall function 0040A220: RtlAllocateHeap.NTDLL(00000008,00000000,00402EAC,00000200,00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000), ref: 0040A231
            • Part of subcall function 0040A300: memcpy.MSVCRT ref: 0040A310
          • FreeResource.KERNEL32(?,020C9F70,020C9F70,00000000,00000000,00000000,00000000,00000000,00000000,00402E90,00000000,00000000,0000000A,00000000,00000000,00000000), ref: 004026B4
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Resource$AllocateFreeHeapLoadSizeofValuememcpy
          • String ID:
          • API String ID: 4216414443-0
          • Opcode ID: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
          • Instruction ID: 5824db8a20ede0dd59727c61e03ef1c30c3ca7ac97c8101ba0d9721411e394a8
          • Opcode Fuzzy Hash: eb9f5e1a2f9d4593073a7ec5f81ff8e9b0a970554bd78e40bca009d4aa2b3f01
          • Instruction Fuzzy Hash: C9F0F871018305EFDB01BF61EC0182EBEA1FB54304F108C3EF488511B1D7378868AB5A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040EFF0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 698COMMONLIBRARYCODE
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID: L@A
          • API String ID: 0-2003014581
          • Opcode ID: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
          • Instruction ID: 760e5a69b99611532abf888ee3aa0c8fba98c8b8d08d5900a10969fbbe7fd4b0
          • Opcode Fuzzy Hash: fcece218acb953ec57727b535a22294843431f2901f4321beebd5a4c2ced4c5c
          • Instruction Fuzzy Hash: C042AD706047429FD724CF19C54472ABBE0BF84304F14863EE8589BB91D379E99ACF8A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405573 Relevance: 3.1, APIs: 2, Instructions: 128COMMON
          Download Yara Rule
          APIs
          • GetVersionExW.KERNEL32(?), ref: 00405593
            • Part of subcall function 0040552C: memset.MSVCRT ref: 0040553B
            • Part of subcall function 0040552C: GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
            • Part of subcall function 0040552C: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
          • GetVersionExW.KERNEL32(?), ref: 004055F2
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Version$AddressHandleModuleProcmemset
          • String ID:
          • API String ID: 3445250173-0
          • Opcode ID: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
          • Instruction ID: 26d0d35871443cf73a281a40cb18e3271032821f4299fa5ffe9ef0f91627ffe6
          • Opcode Fuzzy Hash: b665be2987f77f662ff3f1567eed7b7eb98d8ed0a6deb91f434bba4fd19d7b4a
          • Instruction Fuzzy Hash: 9B31BF32924F1882D23085648D45BB76AA4E751760FD90F37DD9EB72E0D23F8D458D8E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409FB0 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNEL32(00409F70,00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000), ref: 0040A0EC
          • SetUnhandledExceptionFilter.KERNEL32(00401180,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074,004180F0,00000004,00000000,00417064), ref: 0040A100
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
          • Instruction ID: ed707b84e897ebd9365ef63bb97156212438ba645da498dcb76798098b5433cd
          • Opcode Fuzzy Hash: b7e867c821acaf844bbdab562fa5546bc418851262dc6eefeb18a67462b4137d
          • Instruction Fuzzy Hash: 76E0C2B2508380FFC3108F20E94C687BBF4BB55741F00C93EA80A927A0CB748852EB1E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B9C7 Relevance: 2.9, APIs: 1, Instructions: 1619COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: memcpy
          • String ID:
          • API String ID: 3510742995-0
          • Opcode ID: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
          • Instruction ID: 7648e4874b510db5dc64b48861a8ad0d1bcfa4dcae448a9e57b277cf71a217b0
          • Opcode Fuzzy Hash: acd0e2443a16ad88af06146353a72dec412846ba3d60e1a872444779584cfac7
          • Instruction Fuzzy Hash: 43D23BB2B183008FC748CF29C89165AF7E2BFD8214F4A896DE545DB351DB35E846CB86
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040FA68 Relevance: 2.1, Strings: 1, Instructions: 842COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID: hAA
          • API String ID: 0-1362906312
          • Opcode ID: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
          • Instruction ID: 061b60707f08a323de6ca22a374bc66059e0427017f59017a69891467563d259
          • Opcode Fuzzy Hash: 7fc8c6075135f61b4e465a5350afc3a94afa5303be66dee6bc8774c12ebf2cec
          • Instruction Fuzzy Hash: 0762AD71A047129FC718CF18C59066AB7E1FFC8304F144A3EE8969BB81D778E959CB85
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00411C20 Relevance: 1.6, Strings: 1, Instructions: 372COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID: hAA
          • API String ID: 0-1362906312
          • Opcode ID: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
          • Instruction ID: f848a90908651b5095397da3da739fda65f55eeb17523120767d540d1063a6f3
          • Opcode Fuzzy Hash: 71dca1fec58b1161358ab28b524daf179a02b381705128614a2cde410d01d185
          • Instruction Fuzzy Hash: F0D1E7716083828FC704CF28C48066ABBE2FFD9304F144A6EE9D58B752D379D98ACB55
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409FD0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
          Download Yara Rule
          APIs
          • SetUnhandledExceptionFilter.KERNEL32(004011DA,004011BB,00000000,004180A0,00000000,00000000,00000000,00000001,00000004,00000000,00417064,00000008,0000000C,000186A1,00000007,00417074), ref: 00409FD6
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ExceptionFilterUnhandled
          • String ID:
          • API String ID: 3192549508-0
          • Opcode ID: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
          • Instruction ID: ac8206da82d6392f4af85a502d91db7afc58579d845f6d3a682825b86ab87252
          • Opcode Fuzzy Hash: 3170e1e652b57c97785d64ceb6e545c80be0e67c980fbb0402b9cecf21492773
          • Instruction Fuzzy Hash: 68B0017A404180EFDB015F20ED4C7C63FB2B746745FD08AB8980181770CB790496DA0C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040CF18 Relevance: .7, Instructions: 674COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
          • Instruction ID: 434e224409ee4b41571aafdaecae1a236b293988db59150c8aad3205160540e2
          • Opcode Fuzzy Hash: 7a400b198c8088953b694fc09eb18952a69227507a418fb01e42f7223b2c6d58
          • Instruction Fuzzy Hash: 3E12C5B3B546144BD70CCE1DCCA23A9B2D3AFD4218B0E853DB48AD3341FA7DD9198685
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00410CA0 Relevance: .2, Instructions: 213COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
          • Instruction ID: ce7637385bf2580d4bd45f7eed7cd981386548e1214f237c7f2b1e334cab5801
          • Opcode Fuzzy Hash: 2afca31d5e402dc53a6e3c1547e4f0f7fd84e8efed120adad160e64feba3fa86
          • Instruction Fuzzy Hash: B381B472620852CBE718CF1DEC907B63353E7C9340F99C639DA028779AE538B562C795
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00410C80 Relevance: .2, Instructions: 193COMMONLIBRARYCODE
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
          • Instruction ID: eb62069f37237363b8ce6edce14327945305ce31afdb1d79ed38a397900698d6
          • Opcode Fuzzy Hash: ebf3ce41f3a936af8fc8571fd5a5b65ced049cf5f7b88b68e7c4ff41129e470b
          • Instruction Fuzzy Hash: 0A71F3F16205824BD714CF29FCD067673A2EBD9384F4AC639DB0287396C238B971C695
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00410FB0 Relevance: .1, Instructions: 143COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
          • Instruction ID: af0191558bb113c69bf01aa77dc2a624928e07331dce5fde3109ee2fd9e39919
          • Opcode Fuzzy Hash: 2ab1992bfbf39856a5a7dba111a3cc4862fa1f22f04eab95b8f25578d2bf0e3f
          • Instruction Fuzzy Hash: 5941EA32A4474547E728CF28C8553EFB390AB88304F45493ECB9697B60CB6EE9C68685
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00411033 Relevance: .1, Instructions: 100COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
          • Instruction ID: 72b98655ba701b9d964f93d3241bb8f545428b910a5ae8810ed1e036a2f8a9ba
          • Opcode Fuzzy Hash: 6219c0534570dcc087454eb9247404a7b3db1bae580b6f203b5ef7fccfb18fab
          • Instruction Fuzzy Hash: AD31DC32E447854BE728CF28C8953EB7390BB88304F49093FCB4697BA1C66AE9C5C645
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00411079 Relevance: .1, Instructions: 82COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
          • Instruction ID: 87db66efce333c178885a799e057bc316407fa68a453293863d00c93a718f179
          • Opcode Fuzzy Hash: 8f177ef76dc2d83bc780de5ca5247833b6fb957e59de742fcb7e95280a36d76d
          • Instruction Fuzzy Hash: D121BB32A447450BE728CB28D8953FBB390AB88304F49493FCB5687BA1C66AD9C5C644
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00408F69 Relevance: 65.0, APIs: 32, Strings: 5, Instructions: 270windowregistrymemoryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 00408E58: wcslen.MSVCRT ref: 00408E64
            • Part of subcall function 00408E58: HeapAlloc.KERNEL32(00000000,00000000,?,00408F81,?), ref: 00408E7A
            • Part of subcall function 00408E58: wcscpy.MSVCRT ref: 00408E8B
          • GetStockObject.GDI32(00000011), ref: 00408FB2
          • LoadIconW.USER32 ref: 00408FE9
          • LoadCursorW.USER32(00000000,00007F00), ref: 00408FF9
          • RegisterClassExW.USER32 ref: 00409021
          • IsWindowEnabled.USER32(00000000), ref: 00409048
          • EnableWindow.USER32(00000000), ref: 00409059
          • GetSystemMetrics.USER32(00000001), ref: 00409091
          • GetSystemMetrics.USER32(00000000), ref: 0040909E
          • CreateWindowExW.USER32(00000000,00000000,10C80000,-00000096,?,?,?,?,?), ref: 004090BF
          • SetWindowLongW.USER32(00000000,000000EB,?), ref: 004090D3
          • CreateWindowExW.USER32(00000000,STATIC,?,5000000B,0000000A,0000000A,00000118,00000016,00000000,00000000,00000000), ref: 00409101
          • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409119
          • CreateWindowExW.USER32(00000200,EDIT,00000000,00000000,0000000A,00000020,00000113,00000015,00000000,0000000A,00000000), ref: 00409157
          • SendMessageW.USER32(00000000,00000030,00000001), ref: 00409169
          • SetFocus.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409171
          • SendMessageW.USER32(0000000C,00000000,00000000), ref: 00409186
          • wcslen.MSVCRT ref: 00409189
          • wcslen.MSVCRT ref: 00409191
          • SendMessageW.USER32(000000B1,00000000,00000000), ref: 004091A3
          • CreateWindowExW.USER32(00000000,BUTTON,00413080,50010001,0000006E,00000043,00000050,00000019,00000000,000003E8,00000000), ref: 004091CD
          • SendMessageW.USER32(00000000,00000030,00000001), ref: 004091DF
          • CreateAcceleratorTableW.USER32(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409216
          • SetForegroundWindow.USER32(00000000), ref: 0040921F
          • BringWindowToTop.USER32(00000000), ref: 00409226
          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00409239
          • TranslateAcceleratorW.USER32(00000000,00000000,?), ref: 0040924A
          • TranslateMessage.USER32(?), ref: 00409259
          • DispatchMessageW.USER32(?), ref: 00409264
          • DestroyAcceleratorTable.USER32(00000000), ref: 00409278
          • wcslen.MSVCRT ref: 00409289
          • wcscpy.MSVCRT ref: 004092A1
          • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004092B4
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Window$Message$CreateSend$wcslen$Accelerator$HeapLoadMetricsSystemTableTranslatewcscpy$AllocBringClassCursorDestroyDispatchEnableEnabledFocusForegroundFreeIconLongObjectRegisterStock
          • String ID: 0$BUTTON$D0A$EDIT$STATIC
          • API String ID: 54849019-2968808370
          • Opcode ID: 64b7048e9784f6b3a965978878b2fb0e8fb718a1bb0b3c0aee67433a202d6ab7
          • Instruction ID: ac9e317f2143d035474ccc6d8eb2369134aae38ec411cec841dcb6eceac04435
          • Opcode Fuzzy Hash: 64b7048e9784f6b3a965978878b2fb0e8fb718a1bb0b3c0aee67433a202d6ab7
          • Instruction Fuzzy Hash: FC919071548300BFE7219F65DD49F9B7BE9EB48B50F00483EFA84A61E1CBB988408B5D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401511 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 335fileCOMMON
          Download Yara Rule
          APIs
          • WriteFile.KERNEL32(?,00000000,?,?,00000000,?), ref: 00401648
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 004057F0: wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00405853
            • Part of subcall function 004057F0: memmove.MSVCRT ref: 004058E1
            • Part of subcall function 004057F0: wcsncpy.MSVCRT ref: 004058F9
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
            • Part of subcall function 0040AD45: wcsncpy.MSVCRT ref: 0040AD63
            • Part of subcall function 0040AD45: wcslen.MSVCRT ref: 0040AD75
            • Part of subcall function 0040AD45: CreateDirectoryW.KERNELBASE(?,00000000), ref: 0040ADB5
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocateErrorHeapLastValuewcslenwcsncpy$CreateDirectoryFileWritememmovewcsncmp
          • String ID: $pA$&pA$.pA$2pA$2pA$2pA$6pA$6pA$6pA$\pA$\pA$\pA$\pA$\pA
          • API String ID: 1295435411-2952853158
          • Opcode ID: af3dae6db891e923df4a4e706107fb4aaecf548916866d68cba43d12f02d6bed
          • Instruction ID: 61c24dd49085b80bd1b70adcfbfbd818be60928fccba90bb55e88b0b877bbf77
          • Opcode Fuzzy Hash: af3dae6db891e923df4a4e706107fb4aaecf548916866d68cba43d12f02d6bed
          • Instruction Fuzzy Hash: AEB11FB1104304BED600BB62DD8297F77A9EB88708F50CD3FB144A61E2EA3DDD55962E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409355 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 116libraryloaderCOMMON
          Download Yara Rule
          APIs
          • CoInitialize.OLE32(00000000), ref: 00409373
            • Part of subcall function 0040EA90: TlsGetValue.KERNEL32(0000000D,\\?\,?,004096ED,00000104,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000), ref: 0040EA9A
          • memset.MSVCRT ref: 00409381
          • LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
          • GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
          • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
          • wcsncpy.MSVCRT ref: 004093DD
          • wcslen.MSVCRT ref: 004093F1
          • CoTaskMemFree.OLE32(?), ref: 0040947A
          • wcslen.MSVCRT ref: 00409481
          • FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AddressFreeLibraryProcwcslen$InitializeLoadTaskValuememsetwcsncpy
          • String ID: $0A$P$SHBrowseForFolderW$SHELL32.DLL$SHGetPathFromIDListW
          • API String ID: 4193992262-92458654
          • Opcode ID: cbde42508be9eaa54418296cf2fcec228ecaff496ce27a8586192ba66c484795
          • Instruction ID: dd14e0d5c7aaf6d086be5bb491997024bece532a8fadf3e5f1c49f9ab44bf52d
          • Opcode Fuzzy Hash: cbde42508be9eaa54418296cf2fcec228ecaff496ce27a8586192ba66c484795
          • Instruction Fuzzy Hash: 43414471508304AAC720EF759C49A9FBBE8EF88714F004C3FF945E3292D77899458B5A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00406310 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 275COMMON
          Download Yara Rule
          APIs
          • wcsncpy.MSVCRT ref: 00406405
            • Part of subcall function 0040E880: TlsGetValue.KERNEL32(0000000D,?,?,00405EC5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000), ref: 0040E88A
          • _wcsdup.MSVCRT ref: 0040644E
          • _wcsdup.MSVCRT ref: 00406469
          • _wcsdup.MSVCRT ref: 0040648C
          • wcsncpy.MSVCRT ref: 00406578
          • free.MSVCRT(?), ref: 004065DC
          • free.MSVCRT(?), ref: 004065EF
          • free.MSVCRT(?), ref: 00406602
          • wcsncpy.MSVCRT ref: 0040662E
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: _wcsdupfreewcsncpy$Value
          • String ID: $0A$$0A$$0A
          • API String ID: 1554701960-360074770
          • Opcode ID: f59d57380f8462386650d730b526675ad7e9bff01cb308e942a75ae948ec079d
          • Instruction ID: 8dd6decbfdfb2e9f9ed0212bb19f765ed94392260ea2aa670051c2f9137328dc
          • Opcode Fuzzy Hash: f59d57380f8462386650d730b526675ad7e9bff01cb308e942a75ae948ec079d
          • Instruction Fuzzy Hash: 27A1BD715043019BCB209F18C881A2BB7F1EF94348F49493EFC8667391E77AD965CB9A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AEBA Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 91libraryloaderCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
            • Part of subcall function 0040E900: HeapReAlloc.KERNEL32(020C0000,00000000,?,?), ref: 0040E967
          • LoadLibraryW.KERNEL32(Shell32.DLL,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0040AEE3
          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 0040AEF5
          • wcscpy.MSVCRT ref: 0040AF1B
          • wcscat.MSVCRT ref: 0040AF26
          • wcslen.MSVCRT ref: 0040AF2C
          • CoTaskMemFree.OLE32(?,00000000,00000000,?,020C9F70,00000000,00000000), ref: 0040AF3A
          • FreeLibrary.KERNEL32(00000000,?,?,?,00000009,0040373D,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,00404746,00000000), ref: 0040AF41
          • wcscat.MSVCRT ref: 0040AF59
          • wcslen.MSVCRT ref: 0040AF5F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: FreeLibrarywcscatwcslen$AddressAllocHeapLoadProcTaskValuewcscpy
          • String ID: Downloads\$SHGetKnownFolderPath$Shell32.DLL
          • API String ID: 1740785346-287042676
          • Opcode ID: 3b5950ac527df3ef7cda72db0df74ea4b6227c4cc24e67ecc582cb497ed06186
          • Instruction ID: 692465ff5638a5220195cb25a460cc83d5c0d74b8cd54d9d2378aa313f557f39
          • Opcode Fuzzy Hash: 3b5950ac527df3ef7cda72db0df74ea4b6227c4cc24e67ecc582cb497ed06186
          • Instruction Fuzzy Hash: 59210DB12483037AC121A7629C4AF6B3968DB51B95F10043FF505B51C1DABCC96195AF
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00412722 Relevance: 19.6, APIs: 13, Instructions: 74memoryregistrythreadCOMMON
          Download Yara Rule
          APIs
          • TlsAlloc.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412732
          • InitializeCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041273E
          • TlsGetValue.KERNEL32(?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000), ref: 00412754
          • HeapAlloc.KERNEL32(00000008,00000014,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041276E
          • EnterCriticalSection.KERNEL32(004186E8,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000), ref: 0041277F
          • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 0041279B
          • GetCurrentProcess.KERNEL32(00000000,00100000,00000000,00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000), ref: 004127B4
          • GetCurrentThread.KERNEL32 ref: 004127B7
          • GetCurrentProcess.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127BE
          • DuplicateHandle.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127C1
          • RegisterWaitForSingleObject.KERNEL32(0000000C,00000000,0041281A,00000000,000000FF,00000008), ref: 004127D7
          • TlsSetValue.KERNEL32(00000000,?,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127E4
          • HeapAlloc.KERNEL32(00000000,0000000C,?,?,0040E6B8,0040E620,00000000,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000), ref: 004127F5
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocCriticalCurrentSection$HeapProcessValue$DuplicateEnterHandleInitializeLeaveObjectRegisterSingleThreadWait
          • String ID:
          • API String ID: 298514914-0
          • Opcode ID: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
          • Instruction ID: 7332ff317071e0a972604479ba3dd7ff9d073507a24f1d64326450f2c9127e0c
          • Opcode Fuzzy Hash: 2e736260770be91d420535d1c957e5431970d5774848fb61a6feb3a44565c38a
          • Instruction Fuzzy Hash: 36210770644301BFDB119F60ED88B967FB9FB08761F14C43AF505A62A1CBB49850CB68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00403221 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 176COMMON
          Download Yara Rule
          APIs
          • GetWindowsDirectoryW.KERNEL32(00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032AE
          • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032B7
          • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 004033D7
          • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000800,00000000,00000000,00000000,00000800,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004033E0
            • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
          • PathAddBackslashW.SHLWAPI(00000000,00000000,sysnative,00000000,00000000,00000000,00000000,00000800,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 004032E7
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
          • GetSystemDirectoryW.KERNEL32(00000000,00000800), ref: 00403414
          • PathAddBackslashW.SHLWAPI(00000000,00000000,00000800,00000000,00000000,?,00000000,00000000), ref: 0040341D
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: BackslashPath$Directory$AllocateErrorHeapLastSystemValue$Windows
          • String ID: sysnative
          • API String ID: 3406704365-821172135
          • Opcode ID: 06246fb3350c889958c456c83ddef363d069b28f08760247f4de7035fd8ff5d7
          • Instruction ID: e6855e8cc6b59ba75e59fbb34a632fbdfc5c60153de78cbca022c055a9fde60a
          • Opcode Fuzzy Hash: 06246fb3350c889958c456c83ddef363d069b28f08760247f4de7035fd8ff5d7
          • Instruction Fuzzy Hash: 83510A75118201BAD600BBB3DC82E3F66A9EB8075CF10CC3EB144751E2EA3DD9655A6E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E0C3 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53librarysleeploaderCOMMON
          Download Yara Rule
          APIs
          • LoadLibraryW.KERNEL32(Kernel32.dll,00000000,00000000,00000000,00000004,00000000,0040DED5,0041867C,0040E062,00000000,FFFFFFED,00000200,77435E70,0040A4F6,FFFFFFED,00000010), ref: 0040E0D1
          • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0040E0E6
          • FreeLibrary.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E101
          • InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 0040E110
          • Sleep.KERNEL32(00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000,00000000), ref: 0040E122
          • InterlockedExchange.KERNEL32(00000000,00000002), ref: 0040E135
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ExchangeInterlockedLibrary$AddressCompareFreeLoadProcSleep
          • String ID: InitOnceExecuteOnce$Kernel32.dll
          • API String ID: 2918862794-1339284965
          • Opcode ID: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
          • Instruction ID: f1debd77009d833240bff916e076c3bff8506a5db62120b34ae0b3aef6ef2b9b
          • Opcode Fuzzy Hash: 5ce0d2485c1bb4decbbcb922162a80cd5c7d15fe9eeb9708d5254b12b909fa63
          • Instruction Fuzzy Hash: 3001D431244214FBD6201FA2DC4DFEB7B79EB45B52F10883AF501B51C0EAB85D21C66D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409507 Relevance: 12.0, APIs: 8, Instructions: 50threadwindowCOMMON
          Download Yara Rule
          APIs
          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00409511
          • GetCurrentThreadId.KERNEL32 ref: 0040951F
          • IsWindowVisible.USER32(?), ref: 00409526
            • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
          • GetCurrentThreadId.KERNEL32 ref: 00409543
          • GetWindowLongW.USER32(?,000000EC), ref: 00409550
          • GetForegroundWindow.USER32 ref: 0040955E
          • IsWindowEnabled.USER32(?), ref: 00409569
          • EnableWindow.USER32(?,00000000), ref: 00409579
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Window$Thread$Current$AllocEnableEnabledForegroundHeapLongProcessVisible
          • String ID:
          • API String ID: 3383493704-0
          • Opcode ID: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
          • Instruction ID: 39f81579f69f96c849a8792b8e2bccb0372a8aae8c011f207204c0ba92c0e649
          • Opcode Fuzzy Hash: 68a633d90a34132dfb5e2fdbc66a21f5e6654eddc9afd13cb677bbd48b54e552
          • Instruction Fuzzy Hash: 2E01DD321083016FD3219B7ADC88AABBBF8AF51760B04803EF446D3291D7748C40C66D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00408EB4 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON
          Download Yara Rule
          APIs
          • DestroyWindow.USER32(?), ref: 00408EED
          • GetWindowLongW.USER32(?,000000EB), ref: 00408EFC
          • GetWindowTextLengthW.USER32 ref: 00408F0A
          • HeapAlloc.KERNEL32(00000000), ref: 00408F1F
          • GetWindowTextW.USER32(00000000,00000001), ref: 00408F2F
          • DestroyWindow.USER32(?), ref: 00408F3D
          • UnregisterClassW.USER32 ref: 00408F53
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Window$DestroyText$AllocClassHeapLengthLongUnregister
          • String ID:
          • API String ID: 2895088630-0
          • Opcode ID: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
          • Instruction ID: 1940c3daec6268f5e5453f2abd6c11195bb238337c9a47dace4bef07d760dbb1
          • Opcode Fuzzy Hash: 95d800774705508cbc5b0801488b835211eb90fc9c6ab37156a63b4f6fedfd03
          • Instruction Fuzzy Hash: 9011FA3110821AFFCB115F64ED4C9E63F76EB18365B10C17AF845A2AB0CF359951EB58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409588 Relevance: 9.1, APIs: 6, Instructions: 68threadCOMMON
          Download Yara Rule
          APIs
          • EnumWindows.USER32(00409507,?), ref: 0040959B
          • GetCurrentThreadId.KERNEL32 ref: 004095B3
          • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 004095CF
          • GetCurrentThreadId.KERNEL32 ref: 004095EF
          • EnableWindow.USER32(?,00000001), ref: 00409605
          • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0040961C
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Window$CurrentThread$EnableEnumWindows
          • String ID:
          • API String ID: 2527101397-0
          • Opcode ID: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
          • Instruction ID: 1b506e7c949c81e82e84a7d7bfb29e48a0d3001387cd43cbe5fa1ceb5ac7c4b4
          • Opcode Fuzzy Hash: 63874de7abb22210dce27e7498091370d04ccb8537cec92ca55daa4cf010ce04
          • Instruction Fuzzy Hash: D211D032149741BBD7324F16EC48F57BBB9EB81B20F148A3EF065226E1DB766C44CA18
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040D9D3 Relevance: 9.1, APIs: 6, Instructions: 66memoryCOMMON
          Download Yara Rule
          APIs
          • TlsAlloc.KERNEL32(?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040D9F8
          • HeapAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA0C
          • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA19
          • TlsGetValue.KERNEL32(00000010,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA30
          • HeapReAlloc.KERNEL32(00000008,00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA3F
          • TlsSetValue.KERNEL32(00000000,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000,00000000,00000000), ref: 0040DA4E
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocValue$Heap
          • String ID:
          • API String ID: 2472784365-0
          • Opcode ID: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
          • Instruction ID: 2e0cfeba47cec0f6b91efb2e93d625c98a83c07df354da5318bce0fb1280086a
          • Opcode Fuzzy Hash: 7f6b70932fc1a08cda45a5a13933a08f33854a1b42fa358b63a86d14e57a1294
          • Instruction Fuzzy Hash: 1C118676A45310AFD7109FA5EC44AA67FA9EB18760B05813EF904D7370DA359C44CBAC
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004126A4 Relevance: 9.0, APIs: 6, Instructions: 45memoryCOMMON
          Download Yara Rule
          APIs
          • UnregisterWait.KERNEL32(?), ref: 004126AE
          • CloseHandle.KERNEL32(?,?,?,?,0041282A,?), ref: 004126B7
          • EnterCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126C3
          • LeaveCriticalSection.KERNEL32(004186E8,?,?,?,0041282A,?), ref: 004126E8
          • HeapFree.KERNEL32(00000000,00000000,?,?,?,0041282A,?), ref: 00412706
          • HeapFree.KERNEL32(?,?,?,?,?,0041282A,?), ref: 00412718
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalFreeHeapSection$CloseEnterHandleLeaveUnregisterWait
          • String ID:
          • API String ID: 4204870694-0
          • Opcode ID: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
          • Instruction ID: 8ad69fc92b526a08bfe7472bb61da84b570d2b31100e81d3d28f3db860eb322d
          • Opcode Fuzzy Hash: f70a7c029a070c226780d23f7e43a7120967b39c5434bc4d35a475d06415ef98
          • Instruction Fuzzy Hash: ED014874202605BFC7159F11ED88ADABB79FF49352310843EE51AC6A60CB35A861CBA8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004057F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118COMMON
          Download Yara Rule
          APIs
          • wcsncmp.MSVCRT(00000000,?,?,?,?,-0000012C,?,?,00402252,00000000,00000002,00000000,00000000,00417024,00000001,00000000), ref: 00405853
          • memmove.MSVCRT ref: 004058E1
          • wcsncpy.MSVCRT ref: 004058F9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: memmovewcsncmpwcsncpy
          • String ID: $0A$$0A
          • API String ID: 1452150355-167650565
          • Opcode ID: 14318413d9adc2e2b942005046f5369366b6e76739e1c09bf8bc34821c1b3a51
          • Instruction ID: 832c062924e7bef47b33d77ba9c88e4f4304e1b7f9fac3bbf8cf3561daacd64f
          • Opcode Fuzzy Hash: 14318413d9adc2e2b942005046f5369366b6e76739e1c09bf8bc34821c1b3a51
          • Instruction Fuzzy Hash: 7131C336904B058BC720BA55888057B77A8EE84384F14893EEC8537382EB799D61CBA9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040552C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
          Download Yara Rule
          APIs
          • memset.MSVCRT ref: 0040553B
          • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,00000000), ref: 0040554A
          • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0040555A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AddressHandleModuleProcmemset
          • String ID: RtlGetVersion$ntdll.dll
          • API String ID: 3137504439-1489217083
          • Opcode ID: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
          • Instruction ID: c27d50cfc24873b946f5b5a14a9105dc5d991450749eb0f504377b4d26b5710e
          • Opcode Fuzzy Hash: 979e6798394419a5d8feb081e21a74f9c3e25225fd5f8554349b136b21278e81
          • Instruction Fuzzy Hash: 14E0DF31B8461576C6202F75AC0AFCB2AEDCFC6B41B18043AF101F31D5DA38CA418ABD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A6C3 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 80memoryCOMMON
          Download Yara Rule
          APIs
          • wcslen.MSVCRT ref: 0040A72B
          • HeapAlloc.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?,00403C0E), ref: 0040A741
          • wcscpy.MSVCRT ref: 0040A74C
          • memset.MSVCRT ref: 0040A77A
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocHeapmemsetwcscpywcslen
          • String ID: $0A
          • API String ID: 1807340688-513306843
          • Opcode ID: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
          • Instruction ID: e32262bd00c92b68ef8260e1fb7dc13a688965226c4dfc8bf1af71259570edab
          • Opcode Fuzzy Hash: 0446004259e7087f80f5e9692535c9a3ff9e7738c9dd9ea03abb58d6e7266719
          • Instruction Fuzzy Hash: 3C214872100B01AFC321AF159881B6BB7F9EF88314F14893FF58563691CB79E8258B1A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A460 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 73memoryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
            • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
            • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
            • Part of subcall function 0040A54F: HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
          • HeapAlloc.KERNEL32(00000000,0000003C,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A47F
          • HeapAlloc.KERNEL32(00000008,00000015,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A4A5
          • HeapAlloc.KERNEL32(00000008,FFFFFFED,FFFFFFED,00000010,00010000,00000004,00000200,?,?,?,?,004010C3,00000004,00000015,00000000,00000200), ref: 0040A502
          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5,00000000,00001000,00000000), ref: 0040A51C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Heap$Free$Alloc
          • String ID: $0A
          • API String ID: 3901518246-513306843
          • Opcode ID: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
          • Instruction ID: cd652e3bdf182b70a5213d1d771de0a97fad45979f4c99c471b58853275527fc
          • Opcode Fuzzy Hash: 38ff8db7da0bfef88404013647d5d2cc437161e020f58e3aa9cad386b680b922
          • Instruction Fuzzy Hash: F4216AB1600716BFD3108F2ADC01B46BBE4FB4C700F41812EB508E76A1DB70E964CB99
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040548C Relevance: 7.6, APIs: 5, Instructions: 60synchronizationthreadCOMMON
          Download Yara Rule
          APIs
          • CreateThread.KERNEL32(00000000,00001000,?,?,00000000,020C9F70), ref: 004054A5
          • EnterCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054B7
          • WaitForSingleObject.KERNEL32(00000008,00000000,00000000,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000), ref: 004054CE
          • CloseHandle.KERNEL32(00000008,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 004054DA
            • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
          • LeaveCriticalSection.KERNEL32(00418708,?,?,?,?,00402DD8,00000000,00000000,?,0000000A,?,00000000,00000001,00000000,00000000,00000000), ref: 0040551D
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalSection$CloseCreateEnterFreeHandleHeapLeaveObjectSingleThreadWait
          • String ID:
          • API String ID: 3708593966-0
          • Opcode ID: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
          • Instruction ID: 22802cd27a3f1ed093d1fd342325ad429a5e5b172653039cc62d2cb3277a330b
          • Opcode Fuzzy Hash: 7d32ff8fa703d6aea88238e8b85a34b2bc4f47d3e9cf465d70c1e07cefa75554
          • Instruction Fuzzy Hash: AD11C232148214BFC3115F69EC05AD7BBB9EF46752720843AF800972A0EB75A8818B68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040DFC6 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
          • LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
            • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
          • DeleteCriticalSection.KERNEL32(00000020,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040E048
          • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040E057
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalSection$FreeHeap$DeleteEnterLeave
          • String ID:
          • API String ID: 3171405041-0
          • Opcode ID: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
          • Instruction ID: 55e4d48cd168304893741703cb98186ecc41a8d0b28d64f5ed6d9708d3a92668
          • Opcode Fuzzy Hash: fdf9844f3b1e6b4279b4029fb6c954a1531c20b726c16353b8bda20627decff9
          • Instruction Fuzzy Hash: 23116A71101611EFC720AF16DC08B97BBB9FF45301F15883EE50AA7AA1C779A855CFA8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040994F Relevance: 7.5, APIs: 6, Instructions: 31COMMON
          Download Yara Rule
          APIs
          • CloseHandle.KERNEL32(020C9F70,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040995D
          • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409968
          • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409973
          • CloseHandle.KERNEL32(?,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040997E
          • EnterCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 00409986
          • LeaveCriticalSection.KERNEL32(00418730,?,?,00403DFC,?,00000000,00000000,00000000,0041702A,?,00000000,00000000,00000000,00000044,00000000), ref: 0040999A
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CloseHandle$CriticalSection$EnterLeave
          • String ID:
          • API String ID: 10009202-0
          • Opcode ID: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
          • Instruction ID: e0bc3ded0607a690d6707024abf9d108a6c512657707c309f6689cc3689588ed
          • Opcode Fuzzy Hash: 926b03219edff138682592b50218eb32bbb5e82e6177662db6676d56e49f664e
          • Instruction Fuzzy Hash: 35F0FE32004600ABD3226F25DC08BABB7B5BF91355F15883EE055615B0CB796896DF59
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409698 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E900: TlsGetValue.KERNEL32(0000000D,00001000,00000000,00000000), ref: 0040E90C
            • Part of subcall function 0040E900: HeapReAlloc.KERNEL32(020C0000,00000000,?,?), ref: 0040E967
          • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,00000000,?,?,?,00401BD6,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000), ref: 004096B4
          • wcscmp.MSVCRT ref: 004096C2
          • memmove.MSVCRT ref: 004096DA
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocFileHeapModuleNameValuememmovewcscmp
          • String ID: \\?\
          • API String ID: 3734239354-4282027825
          • Opcode ID: 33c17352ecf2d33e8b842fb82144003de2b1de4302be4aa3bf9866a4b196b950
          • Instruction ID: 45f2cbb32eb965b059acfe96771e330f3b1ba6a562bb2c4a442859e911d7a588
          • Opcode Fuzzy Hash: 33c17352ecf2d33e8b842fb82144003de2b1de4302be4aa3bf9866a4b196b950
          • Instruction Fuzzy Hash: 15F0E2B31002017AC2006777DC89CAB7BACEB853B4750093FF516E2491EA38D82486B8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040B8B6 Relevance: 6.3, APIs: 5, Instructions: 93COMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: memset$memcpy
          • String ID:
          • API String ID: 368790112-0
          • Opcode ID: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
          • Instruction ID: 1965f6ec6392bd57460d2593cd94e0dced67690f07481f5a959be489f1b8959c
          • Opcode Fuzzy Hash: b0beb639d4b87296fea5d69f8c5fb0a7f200458fdca181524d22ac5a9409a4ef
          • Instruction Fuzzy Hash: FD21D6727507083BE524AA29DC86F9F738CDB41708F50063EF241B62C1DA79E54546AD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405BA0 Relevance: 6.2, APIs: 4, Instructions: 167memoryCOMMON
          Download Yara Rule
          APIs
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocHeapwcsncpy
          • String ID:
          • API String ID: 2304708654-0
          • Opcode ID: a90f3be50ee59ad9f9cb2c8344752c2d6c44559da06bb1932963a8c5f4cf1607
          • Instruction ID: c5f2f283d94cb2b95ca38a154dbf8d05cc6d7144c7ec2ede7a16228095844b4d
          • Opcode Fuzzy Hash: a90f3be50ee59ad9f9cb2c8344752c2d6c44559da06bb1932963a8c5f4cf1607
          • Instruction Fuzzy Hash: F751BD34508B059BDB209F28D844A6B77F4FF84348F544A2EFC85A72D0E778E955CB89
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00406670 Relevance: 6.1, APIs: 4, Instructions: 90COMMON
          Download Yara Rule
          APIs
          • CharLowerW.USER32(00417032,?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406696
          • CharLowerW.USER32(00000000,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066D0
          • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 004066FF
          • CharLowerW.USER32(?,?,?,?,?,?,?,?,?,004026F1,00000000,00000000), ref: 00406705
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CharLower
          • String ID:
          • API String ID: 1615517891-0
          • Opcode ID: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
          • Instruction ID: f3574eb3d9009b883351c62f390b1b458f0f5c76b551c27569f8cb84250b8306
          • Opcode Fuzzy Hash: dd20185b596db2745f2b704bac9dd4eb7d3bfe8c6e03a6d263d02bee93d56928
          • Instruction Fuzzy Hash: 0E2157796043158BC710EF5D9C40077B3A0EF80765F86887BFC85A3380DA39EE169BA9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00412840 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
          Download Yara Rule
          APIs
          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0040D738,00000000), ref: 00412874
          • malloc.MSVCRT ref: 00412884
          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,-00000001,00000000,00000000,00000000,00000000,00000000), ref: 004128A1
          • malloc.MSVCRT ref: 004128B6
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ByteCharMultiWidemalloc
          • String ID:
          • API String ID: 2735977093-0
          • Opcode ID: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
          • Instruction ID: e0c8a2120d9564889d2f3113141632f921e3b611a2b6a27c47ae7c2ad602c93a
          • Opcode Fuzzy Hash: 8be09bc5dba933f52a62dcd4c1466ac7b9e98312e52af60236e0b5bb7a24d736
          • Instruction Fuzzy Hash: 9E01453B34130127E3206699AC12FB73B59CB81B95F19017AFB009E2C0D6F3A80082B9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004128E0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
          Download Yara Rule
          APIs
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00412911
          • malloc.MSVCRT ref: 00412921
          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041293B
          • malloc.MSVCRT ref: 00412950
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ByteCharMultiWidemalloc
          • String ID:
          • API String ID: 2735977093-0
          • Opcode ID: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
          • Instruction ID: 3026177615c0ccb99804f522c9f73c57bab6efbcd972e36018b7209c0027a648
          • Opcode Fuzzy Hash: dc45e273b66a9daf34e262ac0fef012b7e67277b67b23735523b4b314dffbbe5
          • Instruction Fuzzy Hash: AB01F57734534127E3205699AD42FA77B59CB81BA5F19007AFB01AE2C0DAF7681086B8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AFEC Relevance: 6.0, APIs: 4, Instructions: 43COMMON
          Download Yara Rule
          APIs
          • SHGetFolderLocation.SHELL32(00000000,020C9F70,00000000,00000000,00000000,00000000,00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?), ref: 0040AFFE
          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0040B00F
          • wcslen.MSVCRT ref: 0040B01A
          • CoTaskMemFree.OLE32(00000000,?,00000104,0040AF9B,00000000,00000000,00000104,?,?,?,?,00000009,0040373D,00000001,00000000,00000000), ref: 0040B038
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: FolderFreeFromListLocationPathTaskwcslen
          • String ID:
          • API String ID: 4012708801-0
          • Opcode ID: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
          • Instruction ID: ea6acf64d2064cc2033e367344890d06019be10827a432285197bb32926cdf71
          • Opcode Fuzzy Hash: 6faf2d54f5b57ee11cbd029bcc5efc3640db8cf73aecbbbd6fb1dba8edde6915
          • Instruction Fuzzy Hash: BBF08136500615BAC7205F6ADC0DDAB7B7CEF15BA07404226F805E6260E7319910D7E8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405430 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 004053E4: EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 004053EF
            • Part of subcall function 004053E4: LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,004053CA,00000000,00401FD6,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405422
          • TerminateThread.KERNEL32(00000000,00000000,00000000,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000), ref: 00405440
          • EnterCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040544C
          • CloseHandle.KERNEL32(-00000008,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 0040546C
            • Part of subcall function 0040E1B2: HeapFree.KERNEL32(00000000,-00000008,0040DACB,00000010,00000800,?,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040E1EB
          • LeaveCriticalSection.KERNEL32(00418708,?,?,-0000012C,00401FE5,00000000,-0000012C,00402366,00000000,?,00000000,00000001,00000000,00000000,00000000,00000002), ref: 00405480
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalSection$EnterLeave$CloseFreeHandleHeapTerminateThread
          • String ID:
          • API String ID: 85618057-0
          • Opcode ID: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
          • Instruction ID: 2660d4446155f5fb089545407d2c8513ff3ad75f9eb032afb91e50ebd33cab77
          • Opcode Fuzzy Hash: be79b443d5972bd681091ed05d4b22618ed934695998c5f90ab991cc6a18f9e1
          • Instruction Fuzzy Hash: 05F0E233404610FBC6205B619C49EE77779EF55767724883FF94172291CB386841CE6D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004099C7 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
          Download Yara Rule
          APIs
          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,00000000,?,?,00409BAF,?), ref: 004099D6
          • GetCurrentProcess.KERNEL32(?,00000000,?,?,00409BAF,?), ref: 004099E2
          • DuplicateHandle.KERNEL32(00000000,?,?,00409BAF,?), ref: 004099E9
          • CloseHandle.KERNEL32(?,?,?,00409BAF,?), ref: 004099F5
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CurrentHandleProcess$CloseDuplicate
          • String ID:
          • API String ID: 1410216518-0
          • Opcode ID: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
          • Instruction ID: ce6dac3176af70590056e0be6dcfbc27d6d18e8bdc9d520293d6dd9450c8e6f1
          • Opcode Fuzzy Hash: 4852cd940a62ffebd97bec63e7d75145fa92973f44f615ba9ebe136649e88543
          • Instruction Fuzzy Hash: 73E0ED75608209BFEB10DF91DC49F9ABB7DEB44741F104065F905D2660EB71AD11CB64
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00402FAD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040E660: TlsGetValue.KERNEL32(0000000D,?,00402EF9,00000000,00000000,00000000,00000000,?,0040118D,00000000,00000000,00000000,00000001,00000004,00000000,00417064), ref: 0040E677
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
            • Part of subcall function 00405EB0: CharUpperW.USER32(00000000,00000000,FFFFFFF5,00001000,00001000,?,?,00001000,00402F92,00000000,00000008,00000001,00000000,00000000,00000000,00000000), ref: 00405F01
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 0040E560: RtlReAllocateHeap.NTDLL(020C0000,00000000,?,?), ref: 0040E5BC
            • Part of subcall function 00402E49: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,00000000,004044FA,00000000,00000000,00000000,00000001,00000000,00000000,00000000), ref: 00402E71
            • Part of subcall function 00402E49: __fprintf_l.LIBCMT ref: 00402ECB
            • Part of subcall function 00409355: CoInitialize.OLE32(00000000), ref: 00409373
            • Part of subcall function 00409355: memset.MSVCRT ref: 00409381
            • Part of subcall function 00409355: LoadLibraryW.KERNEL32(SHELL32.DLL,?,?,0000000A), ref: 0040938E
            • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHBrowseForFolderW), ref: 004093B0
            • Part of subcall function 00409355: GetProcAddress.KERNEL32(00000000,SHGetPathFromIDListW), ref: 004093BC
            • Part of subcall function 00409355: wcsncpy.MSVCRT ref: 004093DD
            • Part of subcall function 00409355: wcslen.MSVCRT ref: 004093F1
            • Part of subcall function 00409355: CoTaskMemFree.OLE32(?), ref: 0040947A
            • Part of subcall function 00409355: wcslen.MSVCRT ref: 00409481
            • Part of subcall function 00409355: FreeLibrary.KERNEL32(00000000,00000000), ref: 004094A0
            • Part of subcall function 00403E37: FindResourceW.KERNEL32(00000000,0000000A,00000000,00000000,00000000,00000000,00000000,-00000004,00403A0D,00000000,00000001,00000000,00000000,00000001,00000003,00000000), ref: 00403E67
          • PathAddBackslashW.SHLWAPI(00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000,00000000,FFFFFFF5,00000003,00000000,00000000,00000000,00000000,00000000), ref: 00403178
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
          • PathRemoveBackslashW.SHLWAPI(00000000,00000000,00000000,020CA468,00000000,00000000,00000200,00000000,00000000,00000200,FFFFFFF5,00000000,00000000,00000000,00000200,00000000), ref: 004031DD
            • Part of subcall function 00402C55: FindResourceW.KERNEL32(?,0000000A,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402CF0
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Value$FindResourcewcslen$AddressAllocateBackslashErrorFreeHeapLastLibraryPathProc$CharInitializeLoadRemoveTaskUpper__fprintf_lmemsetwcsncpy
          • String ID: $pA
          • API String ID: 790731606-4007739358
          • Opcode ID: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
          • Instruction ID: e60bee266b2990c05e42038f4eaf1cd2a2725b994cf9f5ea8c77fc408b4d2e90
          • Opcode Fuzzy Hash: 64ebd7b317967dc0aa4780699e57154d7a3f4f596edfabaaa6cc53898b52652e
          • Instruction Fuzzy Hash: 6851E6B9601204BEE500BBB39D82D7F266DDBC471CB108C3FB440A50D3E93CAE65662E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040249D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
          Download Yara Rule
          APIs
          • GetCommandLineW.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040254F
          • PathRemoveArgsW.SHLWAPI(?), ref: 00402585
            • Part of subcall function 00405182: TlsGetValue.KERNEL32(00000000,00402F8A,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000,00000000), ref: 00405189
            • Part of subcall function 0040E560: TlsGetValue.KERNEL32(0000000D,00000000,00000000), ref: 0040E56C
            • Part of subcall function 0040E560: RtlAllocateHeap.NTDLL(020C0000,00000000,?), ref: 0040E599
            • Part of subcall function 004099A5: SetEnvironmentVariableW.KERNELBASE(020C9F70,020C9F70,00404594,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004099BE
            • Part of subcall function 0040E520: GetLastError.KERNEL32(00001000,00000000,00000000), ref: 0040E526
            • Part of subcall function 0040E520: TlsGetValue.KERNEL32(0000000D), ref: 0040E535
            • Part of subcall function 0040E520: SetLastError.KERNEL32(?), ref: 0040E54B
            • Part of subcall function 0040E6C0: wcslen.MSVCRT ref: 0040E6D7
            • Part of subcall function 00405170: TlsGetValue.KERNEL32(?,?,00402F99,00000000,00000008,00000001,00000000,00000000,00000000,00000000,00000000,?,00000200,00000000,00000000,00000000), ref: 00405178
            • Part of subcall function 0040E5F0: HeapFree.KERNEL32(020C0000,00000000,00000000,?,00000000,?,00412484,00000000,00000000,-00000008), ref: 0040E608
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Value$ErrorHeapLast$AllocateArgsCommandEnvironmentFreeLinePathRemoveVariablewcslen
          • String ID: *pA
          • API String ID: 1199808876-3833533140
          • Opcode ID: 978365ab2a22ce9fb3928a5ef7e0fcf4419ed98c8898819fe6a111c9215247d9
          • Instruction ID: beb9823a99ae011e4ed5f1d055ef6d1d692690281f772a57edd19b399da9bd76
          • Opcode Fuzzy Hash: 978365ab2a22ce9fb3928a5ef7e0fcf4419ed98c8898819fe6a111c9215247d9
          • Instruction Fuzzy Hash: E541E9B5504301BED600BBB39D8293F76A8EBC471CF508C3FB444A61D2EA3CD9655A2E
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040973A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040D968: TlsGetValue.KERNEL32(?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000,00000000,00000200), ref: 0040D96F
            • Part of subcall function 0040D968: HeapAlloc.KERNEL32(00000008,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D98A
            • Part of subcall function 0040D968: TlsSetValue.KERNEL32(00000000,?,?,00409869,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015,00000001,00000000,00000000,00000000), ref: 0040D999
          • GetCommandLineW.KERNEL32(?,?,?,00000000,?,?,00409870,00000000,00401DBC,FFFFFFF5,00000200,0000000A,00000000,00000000,FFFFFFF5,00000015), ref: 00409754
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Value$AllocCommandHeapLine
          • String ID: $"
          • API String ID: 1339485270-3817095088
          • Opcode ID: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
          • Instruction ID: 229198f1d41a65a6e9ffff917a794aecd7294c87f6384db1244c7b0cd665179e
          • Opcode Fuzzy Hash: 9f13aeb594c8651f773918aba712108c6ee6300c7051426f9c00fbcbc60952a7
          • Instruction Fuzzy Hash: 3131A6735252218ADB64AF10981127772A1EFA2B60F18C17FE4926B3C2F37D4D41D369
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A638 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
          Download Yara Rule
          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: _wcsicmpwcscmp
          • String ID: $0A
          • API String ID: 3419221977-513306843
          • Opcode ID: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
          • Instruction ID: a9c09230f7291aa91694be4cadd9aa4df44d847ede942287367b49c05577748a
          • Opcode Fuzzy Hash: e4c63d424049f42e7b73257686f90aee44a2e069d1a72a0e60c522d0a3ac157e
          • Instruction Fuzzy Hash: 39118F76508B018BD3209F56D440913B3F9EF94364329893FD88963790DB76EC658BAA
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00405700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
          Download Yara Rule
          APIs
          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405722
          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,00401218), ref: 00405746
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: ByteCharMultiWide
          • String ID: $0A
          • API String ID: 626452242-513306843
          • Opcode ID: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
          • Instruction ID: 6633c5b8762e659e7e7445bcc2ebba2587ddb8769fcb30c67f307584ac15d0df
          • Opcode Fuzzy Hash: 73ef42fd297e56149542e4ba10b5f7343afa2e9a126b30dcd6987e1077dc572a
          • Instruction Fuzzy Hash: D4F0653A38632137E230215A6C06F57295DC785F71F3542367B247F3D0C5B1680046BD
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040DBFF Relevance: 5.1, APIs: 4, Instructions: 134memoryCOMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(?,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?), ref: 0040DC13
          • HeapAlloc.KERNEL32(00000000,-00000018,00000001,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?), ref: 0040DCC8
          • HeapAlloc.KERNEL32(00000000,-00000018,?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000), ref: 0040DCEB
          • LeaveCriticalSection.KERNEL32(?,?,00000000,0040A724,00000000,00000001,?,?,?,00000000,0040A54C,?,?,00000000,?,?), ref: 0040DD43
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocCriticalHeapSection$EnterLeave
          • String ID:
          • API String ID: 830345296-0
          • Opcode ID: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
          • Instruction ID: 326a62a2d88e17b700e0b5dbbe6d23d3e5727d380a42910b8190cd6cec96877c
          • Opcode Fuzzy Hash: 324d660e7cdc21042891890593d34f1f0348325fed707f3f607e68598850c6a9
          • Instruction Fuzzy Hash: D151E570A04B069FD324CF69D980962B7F4FF587103148A3EE49A97A50D338F959CB94
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E7D0 Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON
          Download Yara Rule
          APIs
          • wcslen.MSVCRT ref: 0040E7E5
          • HeapAlloc.KERNEL32(020C0000,00000000,0000000A), ref: 0040E809
          • HeapReAlloc.KERNEL32(020C0000,00000000,00000000,0000000A), ref: 0040E82D
          • HeapFree.KERNEL32(020C0000,00000000,00000000,?,?,0040506F,?,0041702E,00401095,00000000), ref: 0040E864
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: Heap$Alloc$Freewcslen
          • String ID:
          • API String ID: 2479713791-0
          • Opcode ID: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
          • Instruction ID: 61d70e0538fde6a9b2f408d2d23f17b2afdd03d3414029a6c312abdd158bf447
          • Opcode Fuzzy Hash: 2b6b1bd9f026436857951278c42bc1b07c0eea740553c1e91eb77f15f4e50f5e
          • Instruction Fuzzy Hash: 6C2115B5604209EFCB04DF95D884FAAB7B9EB49354F10C169F8099B390D735EA81CB98
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040DB18 Relevance: 5.1, APIs: 4, Instructions: 56memoryCOMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(00000020,00000000,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000), ref: 0040DB23
          • HeapReAlloc.KERNEL32(00000008,?,?,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?), ref: 0040DB63
          • LeaveCriticalSection.KERNEL32(00000020,?,00000000,0040B455,00000000,?,?,00000000,00403350,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0040DB9E
            • Part of subcall function 0040E1F2: HeapAlloc.KERNEL32(00000008,00000000,0040DA6C,00418670,00000014,?,?,?,?,00409674,00000010,00000000,00000000,00401071,00000000,00001000), ref: 0040E1FE
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: AllocCriticalHeapSection$EnterLeave
          • String ID:
          • API String ID: 830345296-0
          • Opcode ID: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
          • Instruction ID: 234cd8b738bfcb23ec7c58dff1098e76d365aadfe99366d65fb7203dd4a6e8aa
          • Opcode Fuzzy Hash: 5d9d41e9d09ba23bc41a935226fc724bd5eb564a4c229014a10cb91462bf3418
          • Instruction Fuzzy Hash: 6A113D72504710AFC3208F68DC40D56BBFAEB48721B15892EE596E36A0CB34F844CB65
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040DD5D Relevance: 5.0, APIs: 4, Instructions: 44memoryCOMMON
          Download Yara Rule
          APIs
          • EnterCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DD6F
          • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DD86
          • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F), ref: 0040DDA2
          • LeaveCriticalSection.KERNEL32(00000020,?,00000000,00000200,0040E03E,00000000,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200), ref: 0040DDBF
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: CriticalFreeHeapSection$EnterLeave
          • String ID:
          • API String ID: 1298188129-0
          • Opcode ID: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
          • Instruction ID: 339acd6113cd15283fdaf2d24efa5c6700350868ea18a16039eb98c455fe0077
          • Opcode Fuzzy Hash: b3beb58b6f71b40006eb08016dd7c334f266477d507c334884bffe37f11cccde
          • Instruction Fuzzy Hash: 7C012C71A0161ABFC7108F96ED049A7FB78FF49751345817AA804A7664D734E824CFE8
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A54F Relevance: 5.0, APIs: 4, Instructions: 43memoryCOMMON
          Download Yara Rule
          APIs
            • Part of subcall function 0040A79A: memset.MSVCRT ref: 0040A802
            • Part of subcall function 0040DFC6: EnterCriticalSection.KERNEL32(00418684,00000200,00000000,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3), ref: 0040DFDA
            • Part of subcall function 0040DFC6: HeapFree.KERNEL32(00000000,?,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004), ref: 0040E028
            • Part of subcall function 0040DFC6: LeaveCriticalSection.KERNEL32(00418684,?,0040A568,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015), ref: 0040E02F
          • HeapFree.KERNEL32(00000000,?,?,00000000,00000200,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000), ref: 0040A57A
          • HeapFree.KERNEL32(00000000,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A586
          • HeapFree.KERNEL32(00000000,?,?,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200), ref: 0040A59A
          • HeapFree.KERNEL32(00000000,00000000,?,?,0040A46F,00000200,?,?,?,004010C3,00000004,00000015,00000000,00000200,00000200,FFFFFFF5), ref: 0040A5B0
          Memory Dump Source
          • Source File: 00000000.00000002.1348903770.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.1348889581.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348924939.0000000000413000.00000002.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348940709.0000000000417000.00000004.00000001.01000000.00000003.sdmpDownload File
          • Associated: 00000000.00000002.1348955547.0000000000419000.00000002.00000001.01000000.00000003.sdmpDownload File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_init_DB.jbxd
          Similarity
          • API ID: FreeHeap$CriticalSection$EnterLeavememset
          • String ID:
          • API String ID: 4254243056-0
          • Opcode ID: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
          • Instruction ID: 62ba4ec21453903b754b53d00370c9fddb20f7a3713721c865cfde946388869e
          • Opcode Fuzzy Hash: 9b91829c39ba2b5ec3bef2853771c0dd8412306e6433636457154be9583086ba
          • Instruction Fuzzy Hash: B5F04471105209BFC6125B16DD40C57BF7DFF49798342412AB40463570CB36ED75DBA8
          Uniqueness

          Uniqueness Score: -1.00%