Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kGZyUV1upG.exe

Overview

General Information

Sample name:kGZyUV1upG.exe
renamed because original name is a hash value
Original sample name:6c93fc68e2f01c20fb81af24470b790c.exe
Analysis ID:1431451
MD5:6c93fc68e2f01c20fb81af24470b790c
SHA1:d5927b38a32e30afcf5a658612a8266476fc4ad8
SHA256:64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580
Tags:32exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found evasive API chain (may stop execution after checking mutex)
Found potential dummy code loops (likely to delay analysis)
Found stalling execution ending in API Sleep call
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • kGZyUV1upG.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\kGZyUV1upG.exe" MD5: 6C93FC68E2F01C20FB81AF24470B790C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: kGZyUV1upG.exeVirustotal: Detection: 33%Perma Link
Source: kGZyUV1upG.exeReversingLabs: Detection: 26%
Source: kGZyUV1upG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: kGZyUV1upG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: kGZyUV1upG.exe
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B2590 CreateMutexA,GetLastError,ExitProcess,OpenClipboard,GetClipboardData,GlobalFix,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B2590 CreateMutexA,GetLastError,ExitProcess,OpenClipboard,GetClipboardData,GlobalFix,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B2590 CreateMutexA,GetLastError,ExitProcess,OpenClipboard,GetClipboardData,GlobalFix,EmptyClipboard,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,GlobalFree,CloseClipboard,Sleep,0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_009078300_2_00907830
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_009090630_2_00909063
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090A9880_2_0090A988
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090B29C0_2_0090B29C
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B1A400_2_008B1A40
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00912BD50_2_00912BD5
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090BB060_2_0090BB06
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00905C200_2_00905C20
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B55000_2_008B5500
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090AE840_2_0090AE84
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090B6D10_2_0090B6D1
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_009137590_2_00913759
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: String function: 00909E8D appears 31 times
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: String function: 00908810 appears 32 times
Source: kGZyUV1upG.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\kGZyUV1upG.exeMutant created: \Sessions\1\BaseNamedObjects\8dddf1vvvv
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCommand line argument: 8dddf1vvvv0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCommand line argument: 8dddf1vvvv0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCommand line argument: f1vvvv0_2_008B2590
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCommand line argument: 8dddf1vvvv0_2_008B2590
Source: kGZyUV1upG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\kGZyUV1upG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: kGZyUV1upG.exeVirustotal: Detection: 33%
Source: kGZyUV1upG.exeReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\kGZyUV1upG.exeSection loaded: apphelp.dllJump to behavior
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kGZyUV1upG.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: kGZyUV1upG.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: M:\DATA\Projects\BitClipper2017\Release\BitClipper2017.pdb source: kGZyUV1upG.exe
Source: kGZyUV1upG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kGZyUV1upG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kGZyUV1upG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kGZyUV1upG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kGZyUV1upG.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B89F0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B89F0
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00908856 push ecx; ret 0_2_00908869
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090834B push ecx; ret 0_2_0090835E
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B89F0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B89F0

Malware Analysis System Evasion

barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\kGZyUV1upG.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_0-18504
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\kGZyUV1upG.exeStalling execution: Execution stalls by calling Sleepgraph_0-18511
Source: C:\Users\user\Desktop\kGZyUV1upG.exeWindow / User API: threadDelayed 875Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exeWindow / User API: threadDelayed 9124Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exeAPI coverage: 5.6 %
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924Thread sleep count: 875 > 30Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924Thread sleep time: -622125s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924Thread sleep count: 9124 > 30Jump to behavior
Source: C:\Users\user\Desktop\kGZyUV1upG.exe TID: 6924Thread sleep time: -6487164s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\kGZyUV1upG.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kGZyUV1upG.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kGZyUV1upG.exeAPI call chain: ExitProcess graph end nodegraph_0-18506

Anti Debugging

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\kGZyUV1upG.exeProcess Stats: CPU usage > 42% for more than 60s
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090CC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0090CC07
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B89F0 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B89F0
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090E8F6 mov eax, dword ptr fs:[00000030h]0_2_0090E8F6
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00912404 GetProcessHeap,0_2_00912404
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090CC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0090CC07
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00907C28 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00907C28
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00908609 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00908609
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_00908757 SetUnhandledExceptionFilter,0_2_00908757
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_0090886B cpuid 0_2_0090886B
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: GetLocaleInfoW,0_2_00917A1C
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: GetLocaleInfoW,0_2_00911A67
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_009173E1
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00917B45
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: GetLocaleInfoW,0_2_00917C4C
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00917D19
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: EnumSystemLocalesW,0_2_009176A4
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: EnumSystemLocalesW,0_2_009116C2
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: EnumSystemLocalesW,0_2_00917659
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_009177CC
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: EnumSystemLocalesW,0_2_0091773F
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_009084F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_009084F8
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B1390 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_008B1390
Source: C:\Users\user\Desktop\kGZyUV1upG.exeCode function: 0_2_008B2D60 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_008B2D60

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		111
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Native API		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory12
Security Software Discovery		Remote Desktop Protocol3
Clipboard Data		Junk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager111
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS1
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kGZyUV1upG.exe34%VirustotalBrowse
kGZyUV1upG.exe26%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1431451
Start date and time:2024-04-25 06:42:04 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 6m 13s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:kGZyUV1upG.exe
renamed because original name is a hash value
Original Sample Name:6c93fc68e2f01c20fb81af24470b790c.exe
Detection:MAL
Classification:mal60.evad.winEXE@1/0@0/0
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 7
  • Number of non-executed functions: 63
Cookbook Comments:
  • Found application associated with file extension: .exe
  • Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
06:43:21API Interceptor9152152x Sleep call for process: kGZyUV1upG.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):6.384805269039956
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:kGZyUV1upG.exe
File size:545'792 bytes
MD5:6c93fc68e2f01c20fb81af24470b790c
SHA1:d5927b38a32e30afcf5a658612a8266476fc4ad8
SHA256:64a71b664d76641b35dac312161cb356b3b3b5f0b45c9d88c8afa547b4902580
SHA512:355e9677121ef17cf8c398f0c17399776d206c62014080a2c62682e1152ea0729dcc6e233358dcd6bae009b07e3db936d4b18eb37d6e7ebc2fe9cf8d827c4ade
SSDEEP:6144:yU3iKBTO7hQqRGoFyLmVmH6Q4vwRuGuoBhYkuFqeYAOfp+5ic6/:yU7UVGoFyLmVO6Q6wAGuoBh9Np+M/
TLSH:44C48301EDC28C6ED34242B1962BA570B479E7A456741FE3338743395D60EADCECFA89
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'i..'i..'i....[.7i....Y..i....X.8i...7..3i...7...i...7...i....9."i..'i..}i...7..%i...7U.&i..'i=.&i...7..&i..Rich'i.........

File Icon

Icon Hash:336dceb2b2b39269

Static PE Info

General

Entrypoint:0x4580b6
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x66297682 [Wed Apr 24 21:15:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:38ce7b26599ed49d54eb76ec8adae923

Entrypoint Preview

Instruction
call 00007FE4AD6B0812h
jmp 00007FE4AD6B0263h
push ebp
mov ebp, esp
mov eax, dword ptr [0047B06Ch]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [0047B06Ch]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FE4AD6B03EBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FE4AD6B03DCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FE4AD6B03DEh
add edx, 28h
cmp edx, esi
jne 00007FE4AD6B03BCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FE4AD6B03CBh
call 00007FE4AD6B0CB4h
test eax, eax
jne 00007FE4AD6B03D5h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 0047C1F8h
mov edx, dword ptr [eax+04h]
jmp 00007FE4AD6B03D6h
cmp edx, eax
je 00007FE4AD6B03E2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FE4AD6B03C2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FE4AD6B03D9h
mov byte ptr [0047C214h], 00000001h
call 00007FE4AD6B0AD5h
call 00007FE4AD6B467Bh
test al, al
jne 00007FE4AD6B03D6h
xor al, al
pop ebp
ret
call 00007FE4AD6B83B5h

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x79c500x28.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x7f0000x2840.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000x806c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x780b00x70.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x781200x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x6c0000x11c.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x6af310x6b000ccd6aeec0d5e0d6ebfc156f82d1938d6False0.32714615581191586data6.2444460279315415IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x6c0000xe2aa0xe40000cfecdbc8308037b8d1a20ac45296c4False0.4690069901315789OpenPGP Secret Key Version 75.52021741550539IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x7b0000x20400xe004861c5046ed1ea6db5e6c00122e31574False0.21261160714285715DOS executable (block device driver ght (c)3.0793309770055424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids0x7e0000x1f80x20050a88cfe362da8efc53c3e174f910587False0.603515625data3.721476685742967IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc0x7f0000x28400x2a0078ad2c262b42a30ed5bbbb7c147db8eaFalse0.24609375data4.08904084486743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x820000x806c0x8200c4f7440ee8c5449e04c7a86e889d0fa4False0.7306189903846154data6.803125964632598IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x7f1000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.2371369294605809
RT_GROUP_ICON0x816a80x14dataEnglishUnited States1.15
RT_MANIFEST0x816c00x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

Imports

DLLImport
KERNEL32.dllLoadLibraryA, GetProcAddress, WriteConsoleW, FlushFileBuffers, MultiByteToWideChar, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, GetCPInfo, CompareStringW, LCMapStringW, GetLocaleInfoW, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetModuleHandleW, GetStringTypeW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, GetLastError, FreeLibrary, LoadLibraryExW, HeapAlloc, HeapFree, HeapReAlloc, GetStdHandle, WriteFile, GetModuleFileNameA, ExitProcess, GetModuleHandleExW, GetACP, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetProcessHeap, GetFileType, CloseHandle, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, HeapSize, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:06:42:49
Start date:25/04/2024
Path:C:\Users\user\Desktop\kGZyUV1upG.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\kGZyUV1upG.exe"
Imagebase:0x8b0000
File size:545'792 bytes
MD5 hash:6C93FC68E2F01C20FB81AF24470B790C
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:1.2%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:16.2%
    Total number of Nodes:692
    Total number of Limit Nodes:14
    execution_graph 18454 907f4e 18455 907f5a ___DestructExceptionObject 18454->18455 18481 908156 18455->18481 18457 907f61 18459 907f8a 18457->18459 18543 908609 IsProcessorFeaturePresent 18457->18543 18466 907fc9 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 18459->18466 18547 90e785 18459->18547 18463 907fa9 ___DestructExceptionObject 18464 908029 18492 908724 18464->18492 18466->18464 18555 90ea28 18466->18555 18472 908044 18561 90e937 GetModuleHandleW 18472->18561 18475 908055 18476 90805e 18475->18476 18566 90ea03 18475->18566 18569 9082cd 18476->18569 18482 90815f 18481->18482 18575 90886b IsProcessorFeaturePresent 18482->18575 18486 908170 18491 908174 18486->18491 18586 91015d 18486->18586 18489 90818b 18489->18457 18491->18457 18668 90c110 18492->18668 18495 90802f 18496 90e6d6 18495->18496 18670 91569b 18496->18670 18498 908038 18501 8b2590 18498->18501 18499 90e6df 18499->18498 18674 90defd 18499->18674 19262 8b89f0 18501->19262 18503 8b25aa 18504 8b25d8 CreateMutexA GetLastError 18503->18504 18505 8b25fc 18504->18505 18506 8b25f4 ExitProcess 18504->18506 18507 8b2db0 28 API calls 18505->18507 18508 8b2621 18507->18508 18509 8b2db0 28 API calls 18508->18509 18510 8b2646 OpenClipboard 18509->18510 18511 8b2a00 Sleep 18510->18511 18512 8b2656 GetClipboardData 18510->18512 18511->18472 18513 8b29fa CloseClipboard 18512->18513 18514 8b2666 GlobalFix 18512->18514 18513->18511 18514->18513 18516 8b2677 18514->18516 18515 8b2db0 28 API calls 18517 8b2699 18515->18517 18516->18515 18517->18517 18518 8b2db0 28 API calls 18517->18518 18529 8b29cc 18517->18529 18519 8b26dc 18518->18519 18520 8b2db0 28 API calls 18519->18520 18521 8b2701 18520->18521 18522 8b1a40 59 API calls 18521->18522 18523 8b270a 18522->18523 18524 8b276b 18523->18524 18527 8b292a 18523->18527 18533 8b2823 18523->18533 18534 8b271b 18523->18534 18535 8b28b1 18523->18535 18536 8b2795 18523->18536 18525 8b295d EmptyClipboard GlobalAlloc 18524->18525 18526 8b29b4 18524->18526 18525->18526 18528 8b2977 GlobalFix memcpy GlobalUnWire SetClipboardData GlobalFree 18525->18528 18526->18529 18531 8b3050 26 API calls 18526->18531 18530 8b2eb0 28 API calls 18527->18530 18528->18526 18529->18513 18532 8b294e 18530->18532 18531->18529 18537 905c20 41 API calls 18532->18537 18538 8b2db0 28 API calls 18533->18538 18539 8b2db0 28 API calls 18534->18539 18540 8b2db0 28 API calls 18535->18540 18541 8b2db0 28 API calls 18536->18541 18542 8b2953 18537->18542 18538->18524 18539->18524 18540->18524 18541->18524 18542->18524 18544 90861f ___scrt_fastfail 18543->18544 18545 9086c7 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18544->18545 18546 908711 18545->18546 18546->18457 18549 90e79c 18547->18549 18548 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18550 907fa3 18548->18550 18549->18548 18550->18463 18551 90e729 18550->18551 18552 90e758 18551->18552 18553 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18552->18553 18554 90e781 18553->18554 18554->18466 18556 90ea50 pre_c_initialization _Atexit 18555->18556 18556->18464 18557 910d45 _Atexit 38 API calls 18556->18557 18558 9101f1 18557->18558 18559 90d8bb _abort 38 API calls 18558->18559 18560 91021b 18559->18560 18562 90804b 18561->18562 18562->18475 18563 90ea60 18562->18563 18564 90e7dd _Atexit 28 API calls 18563->18564 18565 90ea71 18564->18565 18565->18475 18567 90e7dd _Atexit 28 API calls 18566->18567 18568 90ea0e 18567->18568 18568->18476 18570 9082d9 18569->18570 18571 908066 18570->18571 19313 91016f 18570->19313 18571->18463 18574 90c43f ___vcrt_uninitialize 8 API calls 18574->18571 18576 90816b 18575->18576 18577 90c416 18576->18577 18578 90c41b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 18577->18578 18597 90c78e 18578->18597 18581 90c429 18581->18486 18583 90c431 18584 90c43c 18583->18584 18611 90c7ca 18583->18611 18584->18486 18652 917f98 18586->18652 18589 90c43f 18590 90c448 18589->18590 18591 90c459 18589->18591 18592 90c5c2 ___vcrt_uninitialize_ptd 6 API calls 18590->18592 18591->18491 18593 90c44d 18592->18593 18594 90c7ca ___vcrt_uninitialize_locks DeleteCriticalSection 18593->18594 18595 90c452 18594->18595 18664 90ca85 18595->18664 18599 90c797 18597->18599 18600 90c7c0 18599->18600 18601 90c425 18599->18601 18615 90ca05 18599->18615 18602 90c7ca ___vcrt_uninitialize_locks DeleteCriticalSection 18600->18602 18601->18581 18603 90c58f 18601->18603 18602->18601 18633 90c91a 18603->18633 18605 90c599 18610 90c5a4 18605->18610 18638 90c9c8 18605->18638 18607 90c5b2 18608 90c5bf 18607->18608 18643 90c5c2 18607->18643 18608->18583 18610->18583 18612 90c7f4 18611->18612 18613 90c7d5 18611->18613 18612->18581 18614 90c7df DeleteCriticalSection 18613->18614 18614->18612 18614->18614 18620 90c7f9 18615->18620 18617 90ca1f 18618 90ca3c InitializeCriticalSectionAndSpinCount 18617->18618 18619 90ca28 18617->18619 18618->18619 18619->18599 18624 90c829 18620->18624 18625 90c82d __crt_fast_encode_pointer 18620->18625 18621 90c84d 18623 90c859 GetProcAddress 18621->18623 18621->18625 18623->18625 18624->18621 18624->18625 18626 90c899 18624->18626 18625->18617 18627 90c8c1 LoadLibraryExW 18626->18627 18631 90c8b6 18626->18631 18628 90c8dd GetLastError 18627->18628 18632 90c8f5 18627->18632 18630 90c8e8 LoadLibraryExW 18628->18630 18628->18632 18629 90c90c FreeLibrary 18629->18631 18630->18632 18631->18624 18632->18629 18632->18631 18634 90c7f9 try_get_function 5 API calls 18633->18634 18635 90c934 18634->18635 18636 90c94c TlsAlloc 18635->18636 18637 90c93d 18635->18637 18637->18605 18639 90c7f9 try_get_function 5 API calls 18638->18639 18640 90c9e2 18639->18640 18641 90c9fc TlsSetValue 18640->18641 18642 90c9f1 18640->18642 18641->18642 18642->18607 18644 90c5d2 18643->18644 18645 90c5cc 18643->18645 18644->18610 18647 90c954 18645->18647 18648 90c7f9 try_get_function 5 API calls 18647->18648 18649 90c96e 18648->18649 18650 90c985 TlsFree 18649->18650 18651 90c97a 18649->18651 18650->18651 18651->18644 18655 917fb1 18652->18655 18654 90817d 18654->18489 18654->18589 18656 907c12 18655->18656 18657 907c1b 18656->18657 18658 907c1d IsProcessorFeaturePresent 18656->18658 18657->18654 18660 907c64 18658->18660 18663 907c28 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18660->18663 18662 907d47 18662->18654 18663->18662 18665 90cab4 18664->18665 18666 90ca8e 18664->18666 18665->18591 18666->18665 18667 90ca9e FreeLibrary 18666->18667 18667->18666 18669 908737 GetStartupInfoW 18668->18669 18669->18495 18671 9156a4 18670->18671 18672 9156ad 18670->18672 18677 91559a 18671->18677 18672->18499 19259 90dea4 18674->19259 18697 910d45 GetLastError 18677->18697 18679 9155a7 18718 9156b9 18679->18718 18681 9155af 18727 91532e 18681->18727 18684 9155c6 18684->18672 18687 915609 18756 90d833 18687->18756 18691 915604 18753 90d804 18691->18753 18693 91564d 18693->18687 18762 915204 18693->18762 18694 915621 18694->18693 18695 90d833 _free 20 API calls 18694->18695 18695->18693 18698 910d67 18697->18698 18699 910d5b 18697->18699 18772 90d4fd 18698->18772 18765 9119b8 18699->18765 18704 910db0 SetLastError 18704->18679 18705 910d7b 18707 90d833 _free 20 API calls 18705->18707 18709 910d81 18707->18709 18711 910dbc SetLastError 18709->18711 18710 910d97 18786 910bb7 18710->18786 18791 90d8bb 18711->18791 18715 90d833 _free 20 API calls 18717 910da9 18715->18717 18717->18704 18717->18711 18719 9156c5 ___DestructExceptionObject 18718->18719 18720 910d45 _Atexit 38 API calls 18719->18720 18725 9156cf 18720->18725 18722 915753 ___DestructExceptionObject 18722->18681 18724 90d8bb _abort 38 API calls 18724->18725 18725->18722 18725->18724 18726 90d833 _free 20 API calls 18725->18726 19105 90d287 EnterCriticalSection 18725->19105 19106 91574a 18725->19106 18726->18725 19110 90d580 18727->19110 18730 915361 18732 915366 GetACP 18730->18732 18733 915378 18730->18733 18731 91534f GetOEMCP 18731->18733 18732->18733 18733->18684 18734 90d86d 18733->18734 18735 90d8ab 18734->18735 18736 90d87b 18734->18736 18738 90d804 __dosmaperr 20 API calls 18735->18738 18737 90d896 HeapAlloc 18736->18737 18741 90d87f _Atexit 18736->18741 18739 90d8a9 18737->18739 18737->18741 18740 90d8b0 18738->18740 18739->18740 18740->18687 18743 91575b 18740->18743 18741->18735 18741->18737 18742 90df29 new 7 API calls 18741->18742 18742->18741 18744 91532e 40 API calls 18743->18744 18745 91577a 18744->18745 18748 9157cb IsValidCodePage 18745->18748 18750 915781 18745->18750 18752 9157f0 ___scrt_fastfail 18745->18752 18746 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18747 9155fc 18746->18747 18747->18691 18747->18694 18749 9157dd GetCPInfo 18748->18749 18748->18750 18749->18750 18749->18752 18750->18746 19147 915406 GetCPInfo 18752->19147 18754 910dc9 _Atexit 20 API calls 18753->18754 18755 90d809 18754->18755 18755->18687 18757 90d83e HeapFree 18756->18757 18761 90d867 __dosmaperr 18756->18761 18758 90d853 18757->18758 18757->18761 18759 90d804 __dosmaperr 18 API calls 18758->18759 18760 90d859 GetLastError 18759->18760 18760->18761 18761->18684 19223 9151c1 18762->19223 18764 915228 18764->18687 18802 911788 18765->18802 18768 9119f7 TlsGetValue 18769 9119eb 18768->18769 18770 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18769->18770 18771 910d61 18770->18771 18771->18698 18771->18704 18777 90d50a _Atexit 18772->18777 18773 90d54a 18776 90d804 __dosmaperr 19 API calls 18773->18776 18774 90d535 HeapAlloc 18775 90d548 18774->18775 18774->18777 18775->18705 18779 911a0e 18775->18779 18776->18775 18777->18773 18777->18774 18816 90df29 18777->18816 18780 911788 _Atexit 5 API calls 18779->18780 18781 911a35 18780->18781 18782 911a50 TlsSetValue 18781->18782 18783 911a44 18781->18783 18782->18783 18784 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18783->18784 18785 910d90 18784->18785 18785->18705 18785->18710 18832 910b8f 18786->18832 18940 91260e 18791->18940 18794 90d8d5 IsProcessorFeaturePresent 18796 90d8e0 18794->18796 18970 90cc07 18796->18970 18798 90d8cb 18798->18794 18801 90d8f3 18798->18801 18976 90ea12 18801->18976 18803 9117b8 18802->18803 18804 9117b4 18802->18804 18803->18768 18803->18769 18804->18803 18805 9117d8 18804->18805 18809 911824 18804->18809 18805->18803 18807 9117e4 GetProcAddress 18805->18807 18808 9117f4 __crt_fast_encode_pointer 18807->18808 18808->18803 18810 911845 LoadLibraryExW 18809->18810 18815 91183a 18809->18815 18811 911862 GetLastError 18810->18811 18812 91187a 18810->18812 18811->18812 18813 91186d LoadLibraryExW 18811->18813 18814 911891 FreeLibrary 18812->18814 18812->18815 18813->18812 18814->18815 18815->18804 18821 90df6d 18816->18821 18818 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18819 90df69 18818->18819 18819->18777 18820 90df3f 18820->18818 18822 90df79 ___DestructExceptionObject 18821->18822 18827 90d287 EnterCriticalSection 18822->18827 18824 90df84 18828 90dfb6 18824->18828 18826 90dfab ___DestructExceptionObject 18826->18820 18827->18824 18831 90d2cf LeaveCriticalSection 18828->18831 18830 90dfbd 18830->18826 18831->18830 18838 910acf 18832->18838 18834 910bb3 18835 910b3f 18834->18835 18849 9109d3 18835->18849 18837 910b63 18837->18715 18839 910adb ___DestructExceptionObject 18838->18839 18844 90d287 EnterCriticalSection 18839->18844 18841 910ae5 18845 910b0b 18841->18845 18843 910b03 ___DestructExceptionObject 18843->18834 18844->18841 18848 90d2cf LeaveCriticalSection 18845->18848 18847 910b15 18847->18843 18848->18847 18850 9109df ___DestructExceptionObject 18849->18850 18857 90d287 EnterCriticalSection 18850->18857 18852 9109e9 18858 910cfa 18852->18858 18854 910a01 18862 910a17 18854->18862 18856 910a0f ___DestructExceptionObject 18856->18837 18857->18852 18859 910d30 __Tolower 18858->18859 18860 910d09 __Tolower 18858->18860 18859->18854 18860->18859 18865 9169cf 18860->18865 18939 90d2cf LeaveCriticalSection 18862->18939 18864 910a21 18864->18856 18866 916a4f 18865->18866 18868 9169e5 18865->18868 18869 90d833 _free 20 API calls 18866->18869 18892 916a9d 18866->18892 18868->18866 18873 90d833 _free 20 API calls 18868->18873 18874 916a18 18868->18874 18870 916a71 18869->18870 18871 90d833 _free 20 API calls 18870->18871 18875 916a84 18871->18875 18872 916aab 18878 916b0b 18872->18878 18884 90d833 20 API calls _free 18872->18884 18879 916a0d 18873->18879 18880 90d833 _free 20 API calls 18874->18880 18891 916a3a 18874->18891 18881 90d833 _free 20 API calls 18875->18881 18876 90d833 _free 20 API calls 18877 916a44 18876->18877 18882 90d833 _free 20 API calls 18877->18882 18883 90d833 _free 20 API calls 18878->18883 18893 915d28 18879->18893 18886 916a2f 18880->18886 18887 916a92 18881->18887 18882->18866 18888 916b11 18883->18888 18884->18872 18921 9161e2 18886->18921 18890 90d833 _free 20 API calls 18887->18890 18888->18859 18890->18892 18891->18876 18933 916b42 18892->18933 18894 915d39 18893->18894 18920 915e22 18893->18920 18895 915d4a 18894->18895 18896 90d833 _free 20 API calls 18894->18896 18897 915d5c 18895->18897 18898 90d833 _free 20 API calls 18895->18898 18896->18895 18899 915d6e 18897->18899 18900 90d833 _free 20 API calls 18897->18900 18898->18897 18901 915d80 18899->18901 18903 90d833 _free 20 API calls 18899->18903 18900->18899 18902 915d92 18901->18902 18904 90d833 _free 20 API calls 18901->18904 18905 915da4 18902->18905 18906 90d833 _free 20 API calls 18902->18906 18903->18901 18904->18902 18907 915db6 18905->18907 18908 90d833 _free 20 API calls 18905->18908 18906->18905 18909 915dc8 18907->18909 18911 90d833 _free 20 API calls 18907->18911 18908->18907 18910 915dda 18909->18910 18912 90d833 _free 20 API calls 18909->18912 18913 915dec 18910->18913 18914 90d833 _free 20 API calls 18910->18914 18911->18909 18912->18910 18915 915dfe 18913->18915 18916 90d833 _free 20 API calls 18913->18916 18914->18913 18917 915e10 18915->18917 18918 90d833 _free 20 API calls 18915->18918 18916->18915 18919 90d833 _free 20 API calls 18917->18919 18917->18920 18918->18917 18919->18920 18920->18874 18922 916247 18921->18922 18923 9161ef 18921->18923 18922->18891 18924 9161ff 18923->18924 18925 90d833 _free 20 API calls 18923->18925 18926 916211 18924->18926 18928 90d833 _free 20 API calls 18924->18928 18925->18924 18927 916223 18926->18927 18929 90d833 _free 20 API calls 18926->18929 18930 916235 18927->18930 18931 90d833 _free 20 API calls 18927->18931 18928->18926 18929->18927 18930->18922 18932 90d833 _free 20 API calls 18930->18932 18931->18930 18932->18922 18934 916b6d 18933->18934 18935 916b4f 18933->18935 18934->18872 18935->18934 18936 916720 __Tolower 20 API calls 18935->18936 18937 916b67 18936->18937 18938 90d833 _free 20 API calls 18937->18938 18938->18934 18939->18864 18979 91254b 18940->18979 18943 912669 18944 912675 _Atexit 18943->18944 18949 9126a2 _Atexit 18944->18949 18952 91269c _Atexit 18944->18952 18993 910dc9 GetLastError 18944->18993 18946 9126ee 18948 90d804 __dosmaperr 20 API calls 18946->18948 18947 9126d1 19024 91af79 18947->19024 18950 9126f3 18948->18950 18956 91271a 18949->18956 19015 90d287 EnterCriticalSection 18949->19015 19012 90cdd1 18950->19012 18952->18946 18952->18947 18952->18949 18957 912779 18956->18957 18959 912771 18956->18959 18968 9127a4 18956->18968 19016 90d2cf LeaveCriticalSection 18956->19016 18957->18968 19017 912660 18957->19017 18962 90ea12 _Atexit 28 API calls 18959->18962 18962->18957 18964 910d45 _Atexit 38 API calls 18966 912807 18964->18966 18966->18947 18969 910d45 _Atexit 38 API calls 18966->18969 18967 912660 _Atexit 38 API calls 18967->18968 19020 912829 18968->19020 18969->18947 18971 90cc23 _Atexit ___scrt_fastfail 18970->18971 18972 90cc4f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18971->18972 18975 90cd20 _Atexit 18972->18975 18973 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 18974 90cd3e 18973->18974 18974->18801 18975->18973 19043 90e7dd 18976->19043 18982 9124f1 18979->18982 18981 90d8c0 18981->18798 18981->18943 18983 9124fd ___DestructExceptionObject 18982->18983 18988 90d287 EnterCriticalSection 18983->18988 18985 91250b 18989 91253f 18985->18989 18987 912532 ___DestructExceptionObject 18987->18981 18988->18985 18992 90d2cf LeaveCriticalSection 18989->18992 18991 912549 18991->18987 18992->18991 18994 910de2 18993->18994 18995 910de8 18993->18995 18996 9119b8 _Atexit 11 API calls 18994->18996 18997 90d4fd _Atexit 17 API calls 18995->18997 18999 910e3f SetLastError 18995->18999 18996->18995 18998 910dfa 18997->18998 19001 910e02 18998->19001 19002 911a0e _Atexit 11 API calls 18998->19002 19000 910e48 18999->19000 19000->18952 19003 90d833 _free 17 API calls 19001->19003 19004 910e17 19002->19004 19005 910e08 19003->19005 19004->19001 19006 910e1e 19004->19006 19008 910e36 SetLastError 19005->19008 19007 910bb7 _Atexit 17 API calls 19006->19007 19009 910e29 19007->19009 19008->19000 19010 90d833 _free 17 API calls 19009->19010 19011 910e2f 19010->19011 19011->18999 19011->19008 19027 90cd56 19012->19027 19014 90cddd 19014->18947 19015->18956 19016->18959 19018 910d45 _Atexit 38 API calls 19017->19018 19019 912665 19018->19019 19019->18967 19021 9127f8 19020->19021 19022 91282f 19020->19022 19021->18947 19021->18964 19021->18966 19042 90d2cf LeaveCriticalSection 19022->19042 19025 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19024->19025 19026 91af84 19025->19026 19026->19026 19028 910dc9 _Atexit 20 API calls 19027->19028 19029 90cd6c 19028->19029 19030 90cdcb 19029->19030 19031 90cd7a 19029->19031 19038 90cdfe IsProcessorFeaturePresent 19030->19038 19035 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19031->19035 19033 90cdd0 19034 90cd56 _Atexit 26 API calls 19033->19034 19036 90cddd 19034->19036 19037 90cda1 19035->19037 19036->19014 19037->19014 19039 90ce09 19038->19039 19040 90cc07 _Atexit 8 API calls 19039->19040 19041 90ce1e GetCurrentProcess TerminateProcess 19040->19041 19041->19033 19042->19021 19044 90e7e9 _Atexit 19043->19044 19045 90e801 19044->19045 19047 90e937 _Atexit GetModuleHandleW 19044->19047 19072 90d287 EnterCriticalSection 19045->19072 19048 90e7f5 19047->19048 19048->19045 19065 90e97b GetModuleHandleExW 19048->19065 19052 90e87e 19053 90e896 19052->19053 19058 90e729 _Atexit 5 API calls 19052->19058 19059 90e729 _Atexit 5 API calls 19053->19059 19054 90e8f0 19057 91af79 _Atexit 5 API calls 19054->19057 19055 90e8c4 19079 90e8f6 19055->19079 19062 90d8fd 19057->19062 19058->19053 19063 90e8a7 19059->19063 19060 90e809 19060->19052 19060->19063 19073 90ffeb 19060->19073 19076 90e8e7 19063->19076 19066 90e9a5 GetProcAddress 19065->19066 19067 90e9ba 19065->19067 19066->19067 19068 90e9d7 19067->19068 19069 90e9ce FreeLibrary 19067->19069 19070 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19068->19070 19069->19068 19071 90e9e1 19070->19071 19071->19045 19072->19060 19087 90fd05 19073->19087 19098 90d2cf LeaveCriticalSection 19076->19098 19078 90e8c0 19078->19054 19078->19055 19099 911d7d 19079->19099 19082 90e924 19085 90e97b _Atexit 8 API calls 19082->19085 19083 90e904 GetPEB 19083->19082 19084 90e914 GetCurrentProcess TerminateProcess 19083->19084 19084->19082 19086 90e92c ExitProcess 19085->19086 19090 90fcb4 19087->19090 19089 90fd29 19089->19052 19091 90fcc0 ___DestructExceptionObject 19090->19091 19092 90d287 _Atexit EnterCriticalSection 19091->19092 19093 90fcce 19092->19093 19094 90fd74 _Atexit 20 API calls 19093->19094 19095 90fcdb 19094->19095 19096 90fcf9 _Atexit LeaveCriticalSection 19095->19096 19097 90fcec ___DestructExceptionObject 19096->19097 19097->19089 19098->19078 19100 911da2 19099->19100 19101 911d98 19099->19101 19102 911788 _Atexit 5 API calls 19100->19102 19103 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19101->19103 19102->19101 19104 90e900 19103->19104 19104->19082 19104->19083 19105->18725 19109 90d2cf LeaveCriticalSection 19106->19109 19108 915751 19108->18725 19109->19108 19111 90d593 19110->19111 19112 90d59d 19110->19112 19111->18730 19111->18731 19112->19111 19113 910d45 _Atexit 38 API calls 19112->19113 19114 90d5be 19113->19114 19118 911622 19114->19118 19119 911635 19118->19119 19120 90d5d7 19118->19120 19119->19120 19126 916c1c 19119->19126 19122 91164f 19120->19122 19123 911677 19122->19123 19124 911662 19122->19124 19123->19111 19124->19123 19125 9156b9 __cftoe 38 API calls 19124->19125 19125->19123 19127 916c28 ___DestructExceptionObject 19126->19127 19128 910d45 _Atexit 38 API calls 19127->19128 19129 916c31 19128->19129 19132 916c7f ___DestructExceptionObject 19129->19132 19138 90d287 EnterCriticalSection 19129->19138 19131 916c4f 19139 916c93 19131->19139 19132->19120 19137 90d8bb _abort 38 API calls 19137->19132 19138->19131 19140 916ca1 __Tolower 19139->19140 19142 916c63 19139->19142 19141 9169cf __Tolower 20 API calls 19140->19141 19140->19142 19141->19142 19143 916c82 19142->19143 19146 90d2cf LeaveCriticalSection 19143->19146 19145 916c76 19145->19132 19145->19137 19146->19145 19153 915440 19147->19153 19156 9154ea 19147->19156 19150 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19152 915596 19150->19152 19152->18750 19157 91129d 19153->19157 19155 9115d7 44 API calls 19155->19156 19156->19150 19158 90d580 __cftoe 38 API calls 19157->19158 19159 9112bd MultiByteToWideChar 19158->19159 19161 9112fb 19159->19161 19162 911393 19159->19162 19166 90d86d _Atexit 21 API calls 19161->19166 19167 91131c __alloca_probe_16 ___scrt_fastfail 19161->19167 19163 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19162->19163 19164 9113b6 19163->19164 19171 9115d7 19164->19171 19165 91138d 19176 907310 19165->19176 19166->19167 19167->19165 19169 911361 MultiByteToWideChar 19167->19169 19169->19165 19170 91137d GetStringTypeW 19169->19170 19170->19165 19172 90d580 __cftoe 38 API calls 19171->19172 19173 9115ea 19172->19173 19180 9113ba 19173->19180 19177 90731a 19176->19177 19178 90732b 19176->19178 19177->19178 19179 90d833 _free 20 API calls 19177->19179 19178->19162 19179->19178 19181 9113d5 ___crtCompareStringA 19180->19181 19182 9113fb MultiByteToWideChar 19181->19182 19183 9115af 19182->19183 19184 911425 19182->19184 19185 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19183->19185 19187 90d86d _Atexit 21 API calls 19184->19187 19189 911446 __alloca_probe_16 19184->19189 19186 9115c2 19185->19186 19186->19155 19187->19189 19188 91148f MultiByteToWideChar 19190 9114a8 19188->19190 19202 9114fb 19188->19202 19189->19188 19189->19202 19207 911c67 19190->19207 19192 907310 __freea 20 API calls 19192->19183 19194 9114d2 19198 911c67 12 API calls 19194->19198 19194->19202 19195 91150a 19196 91152b __alloca_probe_16 19195->19196 19199 90d86d _Atexit 21 API calls 19195->19199 19197 9115a0 19196->19197 19200 911c67 12 API calls 19196->19200 19201 907310 __freea 20 API calls 19197->19201 19198->19202 19199->19196 19203 91157f 19200->19203 19201->19202 19202->19192 19203->19197 19204 91158e WideCharToMultiByte 19203->19204 19204->19197 19205 9115ce 19204->19205 19206 907310 __freea 20 API calls 19205->19206 19206->19202 19208 911788 _Atexit 5 API calls 19207->19208 19209 911c8e 19208->19209 19210 911c97 LCMapStringEx 19209->19210 19211 911cbe 19209->19211 19215 911cde 19210->19215 19218 911cef 19211->19218 19216 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19215->19216 19217 9114bf 19216->19217 19217->19194 19217->19195 19217->19202 19219 911788 _Atexit 5 API calls 19218->19219 19220 911d16 19219->19220 19221 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19220->19221 19222 911cd7 LCMapStringW 19221->19222 19222->19215 19224 9151cd ___DestructExceptionObject 19223->19224 19231 90d287 EnterCriticalSection 19224->19231 19226 9151d7 19232 91522c 19226->19232 19230 9151f0 ___DestructExceptionObject 19230->18764 19231->19226 19244 91594c 19232->19244 19234 91527a 19235 91594c 26 API calls 19234->19235 19236 915296 19235->19236 19237 91594c 26 API calls 19236->19237 19238 9152b4 19237->19238 19239 9151e4 19238->19239 19240 90d833 _free 20 API calls 19238->19240 19241 9151f8 19239->19241 19240->19239 19258 90d2cf LeaveCriticalSection 19241->19258 19243 915202 19243->19230 19245 91595d 19244->19245 19254 915959 _Yarn 19244->19254 19246 915964 19245->19246 19250 915977 ___scrt_fastfail 19245->19250 19247 90d804 __dosmaperr 20 API calls 19246->19247 19248 915969 19247->19248 19249 90cdd1 _Atexit 26 API calls 19248->19249 19249->19254 19251 9159a5 19250->19251 19252 9159ae 19250->19252 19250->19254 19253 90d804 __dosmaperr 20 API calls 19251->19253 19252->19254 19256 90d804 __dosmaperr 20 API calls 19252->19256 19255 9159aa 19253->19255 19254->19234 19257 90cdd1 _Atexit 26 API calls 19255->19257 19256->19255 19257->19254 19258->19243 19260 90d580 __cftoe 38 API calls 19259->19260 19261 90deb8 19260->19261 19261->18499 19263 8b89fd 19262->19263 19264 8b8e70 19263->19264 19265 8ba8c6 19264->19265 19266 8bbfa5 LoadLibraryA GetProcAddress LoadLibraryA 19265->19266 19267 8bbfe8 19266->19267 19268 8bc442 19267->19268 19269 8bdb21 GetProcAddress 19268->19269 19270 8bdb4e 19269->19270 19271 8bdfb1 19270->19271 19272 8bf696 GetProcAddress 19271->19272 19273 8bf6c2 19272->19273 19274 8bfb24 19273->19274 19275 8c1209 GetProcAddress 19274->19275 19276 8c1235 19275->19276 19277 8c1697 19276->19277 19278 8c2d7c GetProcAddress 19277->19278 19279 8c2da8 19278->19279 19280 8c320a 19279->19280 19281 8c48ef GetProcAddress 19280->19281 19282 8c491b 19281->19282 19283 8c4d7d 19282->19283 19284 8c6462 GetProcAddress 19283->19284 19285 8c648e 19284->19285 19286 8c68f0 19285->19286 19287 8c7fd5 GetProcAddress 19286->19287 19288 8c8001 19287->19288 19289 8c8463 19288->19289 19290 8c9b48 GetProcAddress 19289->19290 19291 8c9b74 19290->19291 19292 8c9fd6 19291->19292 19293 8cb6bb GetProcAddress 19292->19293 19294 8cb6e7 19293->19294 19295 8cbb49 19294->19295 19296 8cd22e LoadLibraryA 19295->19296 19297 8cd255 19296->19297 19298 8cd6b8 19297->19298 19299 8ced9d GetProcAddress 19298->19299 19300 8cedc9 19299->19300 19301 8cf22b 19300->19301 19302 8d0910 GetProcAddress 19301->19302 19303 8d093c 19302->19303 19304 8d0d9e 19303->19304 19305 8d2483 GetProcAddress 19304->19305 19306 8d24af 19305->19306 19307 8d3ff6 GetProcAddress 19306->19307 19308 8d4022 19307->19308 19309 8d5b69 GetProcAddress 19308->19309 19310 8d5b95 19309->19310 19311 8d76dc GetProcAddress 19310->19311 19312 8d7708 19311->19312 19316 91801b 19313->19316 19317 918034 19316->19317 19318 907c12 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 19317->19318 19319 9082e7 19318->19319 19319->18574

    Executed Functions

    Function 008B89F0 Relevance: 125.0, APIs: 19, Strings: 41, Instructions: 20001libraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • LoadLibraryA.KERNEL32(Kernel32.dll,LoadLibraryA), ref: 008BBFAF
    • GetProcAddress.KERNEL32(00000000), ref: 008BBFB6
    • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 008BBFC6
    • GetProcAddress.KERNEL32(?,GetProcAddress), ref: 008BDB2A
    • GetProcAddress.KERNEL32(?,GlobalUnlock), ref: 008BF69F
      • Part of subcall function 00907D4B: ___report_securityfailure.LIBCMT ref: 00907D50
    • GetProcAddress.KERNEL32(?,GlobalLock), ref: 008C1212
    • GetProcAddress.KERNEL32(?,GlobalAlloc), ref: 008C2D85
    • GetProcAddress.KERNEL32(?,GlobalFree), ref: 008C48F8
    • GetProcAddress.KERNEL32(?,CreateMutexA), ref: 008C646B
    • GetProcAddress.KERNEL32(?,ReleaseMutex), ref: 008C7FDE
    • GetProcAddress.KERNEL32(?,ExitProcess), ref: 008C9B51
    • GetProcAddress.KERNEL32(?,0092CF7C), ref: 008CB6C4
    • LoadLibraryA.KERNELBASE(User32.dll), ref: 008CD233
    • GetProcAddress.KERNEL32(?,OpenClipboard), ref: 008CEDA6
    • GetProcAddress.KERNEL32(?,GetClipboardData), ref: 008D0919
    • GetProcAddress.KERNEL32(?,EmptyClipboard), ref: 008D248C
    • GetProcAddress.KERNEL32(?,SetClipboardData), ref: 008D3FFF
    • GetProcAddress.KERNEL32(?,0092CF64), ref: 008D5B72
    • GetProcAddress.KERNEL32(?,GetModuleFileName), ref: 008D76E5
    • GetProcAddress.KERNEL32(?,MoveFileA), ref: 008D9258
    • GetProcAddress.KERNEL32(?,Sleep), ref: 008DADCB
    • GetProcAddress.KERNEL32(?,CloseHandle), ref: 008DC93E
    • GetProcAddress.KERNEL32(?,CreateDirectoryA), ref: 008DE4B1
    • GetProcAddress.KERNEL32(?,WaitForSingleObject), ref: 008E0024
    • GetProcAddress.KERNEL32(?,0092D000), ref: 008E1B97
    • LoadLibraryA.KERNELBASE(msvcrt.dll), ref: 008E3706
    • GetProcAddress.KERNEL32(?,memcpy), ref: 008E527F
    • LoadLibraryA.KERNELBASE(Advapi32.dll), ref: 008E6DEE
    • GetProcAddress.KERNEL32(?,RegSetValueExA), ref: 008E8961
    • GetProcAddress.KERNEL32(?,RegOpenKeyExA), ref: 008EA4D4
    • GetProcAddress.KERNEL32(?,RegCloseKey), ref: 008EC047
    • GetProcAddress.KERNEL32(?,RegCreateKeyExA), ref: 008EDBBA
    • GetProcAddress.KERNEL32(?,RegQueryValueExA), ref: 008EF72D
    • LoadLibraryA.KERNELBASE(Shell32.dll), ref: 008F129C
    • GetProcAddress.KERNEL32(?,ShellExecuteEx), ref: 008F2E15
    • GetProcAddress.KERNEL32(?,SHGetFolderPathA), ref: 008F498B
    • LoadLibraryA.KERNELBASE(ws2_32.dll), ref: 008F64FA
    • GetProcAddress.KERNEL32(008B25AA,WSAStartup), ref: 008F806D
    • GetProcAddress.KERNEL32(008B25AA,socket), ref: 008F9BE0
    • GetProcAddress.KERNEL32(008B25AA,gethostbyname), ref: 008FB753
    • GetProcAddress.KERNEL32(008B25AA,htons), ref: 008FD2C6
    • GetProcAddress.KERNEL32(008B25AA,connect), ref: 008FEE39
    • GetProcAddress.KERNEL32(008B25AA,0092CF74), ref: 009009AC
    • GetProcAddress.KERNEL32(008B25AA,recv), ref: 0090251F
    • GetProcAddress.KERNEL32(008B25AA,closesocket), ref: 00904092
    • GetProcAddress.KERNEL32(008B25AA,WSACleanup), ref: 00905C05
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: AddressProc$LibraryLoad$___report_securityfailure
    • String ID: Advapi32.dll$CloseHandle$CreateDirectoryA$CreateMutexA$EmptyClipboard$ExitProcess$GetClipboardData$GetModuleFileName$GetProcAddress$GlobalAlloc$GlobalFree$GlobalLock$GlobalUnlock$Kernel32.dll$LoadLibraryA$MoveFileA$OpenClipboard$RegCloseKey$RegCreateKeyExA$RegOpenKeyExA$RegQueryValueExA$RegSetValueExA$ReleaseMutex$SHGetFolderPathA$SetClipboardData$Shell32.dll$ShellExecuteEx$Sleep$User32.dll$WSACleanup$WSAStartup$WaitForSingleObject$closesocket$connect$gethostbyname$htons$memcpy$msvcrt.dll$recv$socket$ws2_32.dll
    • API String ID: 2356647914-3371338090
    • Opcode ID: 4dc836d502a7311268f1c38033d685305e91cf5111e248fb32d1a4412584ca3d
    • Instruction ID: f14cdf8fb6c2a681fce454dca1da8e3b7714d6035d2708e244a01c9928705667
    • Opcode Fuzzy Hash: 4dc836d502a7311268f1c38033d685305e91cf5111e248fb32d1a4412584ca3d
    • Instruction Fuzzy Hash: 347487E26092A206E71D597C95323BF9EE7DBA2704F2C90BF9042DE7AED475CB448341
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B2590 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 232clipboardsynchronizationCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4959 8b2590-8b25f2 call 8b89f0 call 8b19f0 CreateMutexA GetLastError 4964 8b25fc-8b2650 call 8b2db0 * 2 OpenClipboard 4959->4964 4965 8b25f4-8b25f6 ExitProcess 4959->4965 4970 8b2a00-8b2a0b Sleep 4964->4970 4971 8b2656-8b2660 GetClipboardData 4964->4971 4972 8b29fa CloseClipboard 4971->4972 4973 8b2666-8b2671 GlobalFix 4971->4973 4972->4970 4973->4972 4974 8b2677-8b267a 4973->4974 4975 8b267c-8b267e 4974->4975 4976 8b2680-8b2682 4974->4976 4977 8b268e-8b269e call 8b2db0 4975->4977 4978 8b2685-8b268a 4976->4978 4982 8b29e1-8b29f7 4977->4982 4983 8b26a4-8b26b4 call 8b2c00 4977->4983 4978->4978 4980 8b268c 4978->4980 4980->4977 4982->4972 4983->4982 4986 8b26ba-8b26bd 4983->4986 4987 8b26bf-8b26c1 4986->4987 4988 8b26c3-8b26c5 4986->4988 4989 8b26d1-8b270e call 8b2db0 * 2 call 8b1a40 4987->4989 4990 8b26c8-8b26cd 4988->4990 4998 8b2956-8b295b 4989->4998 4999 8b2714 4989->4999 4990->4990 4991 8b26cf 4990->4991 4991->4989 5000 8b295d-8b2975 EmptyClipboard GlobalAlloc 4998->5000 5001 8b29b4-8b29bb 4998->5001 5002 8b271b-8b276b call 8b19f0 call 8b2db0 4999->5002 5003 8b292a-8b2953 call 8b2eb0 call 905c20 4999->5003 5004 8b2823-8b2887 call 8b19f0 call 8b2db0 4999->5004 5005 8b28b1-8b2901 call 8b19f0 call 8b2db0 4999->5005 5006 8b2795-8b27f9 call 8b19f0 call 8b2db0 4999->5006 5000->5001 5008 8b2977-8b29ae GlobalFix memcpy GlobalUnWire SetClipboardData GlobalFree 5000->5008 5009 8b29bd-8b29c7 call 8b3050 5001->5009 5010 8b29cc-8b29dc 5001->5010 5002->4998 5003->4998 5004->4998 5005->4998 5006->4998 5008->5001 5009->5010 5010->4982
    APIs
    • CreateMutexA.KERNELBASE(00000000,00000000,8dddf1vvvv), ref: 008B25E1
    • GetLastError.KERNEL32 ref: 008B25E7
    • ExitProcess.KERNEL32 ref: 008B25F6
    • OpenClipboard.USER32(00000000), ref: 008B2648
    • GetClipboardData.USER32(00000001), ref: 008B2658
    • GlobalFix.KERNEL32(00000000), ref: 008B2667
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Clipboard$CreateDataErrorExitGlobalLastMutexOpenProcess
    • String ID: 8dddf1vvvv$i
    • API String ID: 2612852249-950614044
    • Opcode ID: a1d09d73cb296282287b4e09c659bd79f7f86e15eddbe538a23646ddf08c8e0a
    • Instruction ID: 3f10dad5e682a6e376bc08b7ba7c82d0a5be9ee2e5ab1e11c418c99208d008f7
    • Opcode Fuzzy Hash: a1d09d73cb296282287b4e09c659bd79f7f86e15eddbe538a23646ddf08c8e0a
    • Instruction Fuzzy Hash: 61A116B042C7849EE324EF64EC1A7AE7BA0FF95305F00460DF485962A1DBB05986DB97
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009113BA Relevance: 12.2, APIs: 8, Instructions: 216COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5035 9113ba-9113d3 5036 9113d5-9113e5 call 90d817 5035->5036 5037 9113e9-9113ee 5035->5037 5036->5037 5044 9113e7 5036->5044 5039 9113f0-9113f8 5037->5039 5040 9113fb-91141f MultiByteToWideChar 5037->5040 5039->5040 5042 9115b2-9115c5 call 907c12 5040->5042 5043 911425-911431 5040->5043 5045 911433-911444 5043->5045 5046 911485 5043->5046 5044->5037 5049 911463-911474 call 90d86d 5045->5049 5050 911446-911455 call 9083d0 5045->5050 5048 911487-911489 5046->5048 5053 9115a7 5048->5053 5054 91148f-9114a2 MultiByteToWideChar 5048->5054 5049->5053 5061 91147a 5049->5061 5050->5053 5060 91145b-911461 5050->5060 5058 9115a9-9115b0 call 907310 5053->5058 5054->5053 5057 9114a8-9114ba call 911c67 5054->5057 5065 9114bf-9114c3 5057->5065 5058->5042 5064 911480-911483 5060->5064 5061->5064 5064->5048 5065->5053 5067 9114c9-9114d0 5065->5067 5068 9114d2-9114d7 5067->5068 5069 91150a-911516 5067->5069 5068->5058 5072 9114dd-9114df 5068->5072 5070 911562 5069->5070 5071 911518-911529 5069->5071 5075 911564-911566 5070->5075 5073 911544-911555 call 90d86d 5071->5073 5074 91152b-91153a call 9083d0 5071->5074 5072->5053 5076 9114e5-9114ff call 911c67 5072->5076 5077 9115a0-9115a6 call 907310 5073->5077 5091 911557 5073->5091 5074->5077 5090 91153c-911542 5074->5090 5075->5077 5078 911568-911581 call 911c67 5075->5078 5076->5058 5088 911505 5076->5088 5077->5053 5078->5077 5092 911583-91158a 5078->5092 5088->5053 5093 91155d-911560 5090->5093 5091->5093 5094 9115c6-9115cc 5092->5094 5095 91158c-91158d 5092->5095 5093->5075 5096 91158e-91159e WideCharToMultiByte 5094->5096 5095->5096 5096->5077 5097 9115ce-9115d5 call 907310 5096->5097 5097->5058
    APIs
    • MultiByteToWideChar.KERNEL32(000000FF,00000000,?,?,00000000,00000000,00000000,?,00000000,?,?,?,0091160B,000000FF,000000FF,?), ref: 00911414
    • __alloca_probe_16.LIBCMT ref: 0091144C
    • MultiByteToWideChar.KERNEL32(000000FF,00000001,?,?,00000000,?,?,?,?,0091160B,000000FF,000000FF,?,?,?,?), ref: 0091149A
    • __alloca_probe_16.LIBCMT ref: 00911531
    • WideCharToMultiByte.KERNEL32(000000FF,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00911594
    • __freea.LIBCMT ref: 009115A1
      • Part of subcall function 0090D86D: HeapAlloc.KERNEL32(00000000,?,?,?,00908A77,?,?,?,?,?,008B1087,?,?,?), ref: 0090D89F
    • __freea.LIBCMT ref: 009115AA
    • __freea.LIBCMT ref: 009115CF
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
    • String ID:
    • API String ID: 2597970681-0
    • Opcode ID: 11d8a3347192e66e3a8c497ea21a02adcfcd9a62c11fd1db03fde64d65e80aea
    • Instruction ID: d7cdaf0ea27b9fd19f076661c96b17dc258a6d2b3e54308bc72ba1019ed31a3d
    • Opcode Fuzzy Hash: 11d8a3347192e66e3a8c497ea21a02adcfcd9a62c11fd1db03fde64d65e80aea
    • Instruction Fuzzy Hash: 5351B172B1021ABFDB258EA4DC41EEF77AEEB85B50F154629FE06D6180EB34DC80D650
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00911C67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5100 911c67-911c95 call 911788 5103 911c97-911cbc LCMapStringEx 5100->5103 5104 911cbe-911cd8 call 911cef LCMapStringW 5100->5104 5108 911cde-911cec call 907c12 5103->5108 5104->5108
    APIs
    • LCMapStringEx.KERNELBASE ref: 00911CBA
    • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,000000FF,?,00000000), ref: 00911CD8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: String
    • String ID: LCMapStringEx
    • API String ID: 2568140703-3893581201
    • Opcode ID: ebe38b4e1fefdd26d8ab93a2a9b2e74a644e41d3465545047e7625842f2d2231
    • Instruction ID: 9e83995a018dee5bd1ba684314d17348a002534812ab493342fdd54202365610
    • Opcode Fuzzy Hash: ebe38b4e1fefdd26d8ab93a2a9b2e74a644e41d3465545047e7625842f2d2231
    • Instruction Fuzzy Hash: 3C01483268521DBBCF129F90DD06DEE7FA6FF88760F008114FE14261A0C6328971EB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00915406 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5111 915406-91543a GetCPInfo 5112 915530-91553d 5111->5112 5113 915440 5111->5113 5114 915543-915553 5112->5114 5115 915442-91544c 5113->5115 5116 915555-91555d 5114->5116 5117 91555f-915566 5114->5117 5115->5115 5118 91544e-915461 5115->5118 5119 915572-915574 5116->5119 5120 915576 5117->5120 5121 915568-91556f 5117->5121 5122 915482-915484 5118->5122 5125 915578-915587 5119->5125 5120->5125 5121->5119 5123 915463-91546a 5122->5123 5124 915486-9154bd call 91129d call 9115d7 5122->5124 5128 915479-91547b 5123->5128 5136 9154c2-9154ed call 9115d7 5124->5136 5125->5114 5127 915589-915599 call 907c12 5125->5127 5129 91547d-915480 5128->5129 5130 91546c-91546e 5128->5130 5129->5122 5130->5129 5135 915470-915478 5130->5135 5135->5128 5139 9154ef-9154f9 5136->5139 5140 915509-91550b 5139->5140 5141 9154fb-915507 5139->5141 5143 915522 5140->5143 5144 91550d-915512 5140->5144 5142 915519-915520 5141->5142 5145 915529-91552c 5142->5145 5143->5145 5144->5142 5145->5139 5146 91552e 5145->5146 5146->5127
    APIs
    • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0091542B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Info
    • String ID:
    • API String ID: 1807457897-3916222277
    • Opcode ID: ce5cbcbbcab101fd4ff559e4760de01e10c3248dfcdff63e159ec897b65f2028
    • Instruction ID: 6a3176d194de3ca689a7666cdbe8e1f8e708d9dc066a169c97768224e8b46e24
    • Opcode Fuzzy Hash: ce5cbcbbcab101fd4ff559e4760de01e10c3248dfcdff63e159ec897b65f2028
    • Instruction Fuzzy Hash: 0341F970A0864CDADF218A64CC84BFABBBFEB85304F1504EDE59A87152D2359AC5DF60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0091575B Relevance: 3.2, APIs: 2, Instructions: 168COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5147 91575b-91577f call 91532e 5150 915781-91578a call 9153a1 5147->5150 5151 91578f-915796 5147->5151 5158 91593c-91594b call 907c12 5150->5158 5153 915799-91579f 5151->5153 5155 9157a5-9157b1 5153->5155 5156 91588f-9158ae call 90c110 5153->5156 5155->5153 5159 9157b3-9157b9 5155->5159 5164 9158b1-9158b6 5156->5164 5162 915887-91588a 5159->5162 5163 9157bf-9157c5 5159->5163 5167 91593b 5162->5167 5163->5162 5166 9157cb-9157d7 IsValidCodePage 5163->5166 5168 9158b8-9158bd 5164->5168 5169 9158ed-9158f7 5164->5169 5166->5162 5170 9157dd-9157ea GetCPInfo 5166->5170 5167->5158 5171 9158ea 5168->5171 5172 9158bf-9158c5 5168->5172 5169->5164 5175 9158f9-915920 call 9152f0 5169->5175 5173 9157f0-915811 call 90c110 5170->5173 5174 915874-91587a 5170->5174 5171->5169 5176 9158de-9158e0 5172->5176 5186 915813-91581a 5173->5186 5187 915864 5173->5187 5174->5162 5178 91587c-915882 call 9153a1 5174->5178 5189 915921-915930 5175->5189 5180 9158e2-9158e8 5176->5180 5181 9158c7-9158cd 5176->5181 5193 915938-915939 5178->5193 5180->5168 5180->5171 5181->5180 5185 9158cf-9158da 5181->5185 5185->5176 5191 91583d-915840 5186->5191 5192 91581c-915821 5186->5192 5190 915867-91586f 5187->5190 5189->5189 5194 915932-915933 call 915406 5189->5194 5190->5194 5196 915845-91584c 5191->5196 5192->5191 5197 915823-915829 5192->5197 5193->5167 5194->5193 5196->5196 5199 91584e-915862 call 9152f0 5196->5199 5198 915831-915833 5197->5198 5200 915835-91583b 5198->5200 5201 91582b-915830 5198->5201 5199->5190 5200->5191 5200->5192 5201->5198
    APIs
      • Part of subcall function 0091532E: GetOEMCP.KERNEL32(00000000,?,?,009155B7,?), ref: 00915359
    • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,009155FC,?,00000000), ref: 009157CF
    • GetCPInfo.KERNEL32(00000000,009155FC,?,?,?,009155FC,?,00000000), ref: 009157E2
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: CodeInfoPageValid
    • String ID:
    • API String ID: 546120528-0
    • Opcode ID: f49873e003140699122fb2de1a1848fef877c570c149d9c120f47eea753069af
    • Instruction ID: 1fdf9d6b37d5cc82483420693aa3e9bebd3df65998ea131d07df0cf5c16f8dcf
    • Opcode Fuzzy Hash: f49873e003140699122fb2de1a1848fef877c570c149d9c120f47eea753069af
    • Instruction Fuzzy Hash: B7511470F04A09DEDB249F75C8816FABBE9EFC1310F1744AED0968B151D7399582DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0091559A Relevance: 3.1, APIs: 2, Instructions: 91COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5204 91559a-9155c4 call 910d45 call 9156b9 call 91532e 5211 9155c6-9155c8 5204->5211 5212 9155ca-9155df call 90d86d 5204->5212 5213 91561d-915620 5211->5213 5216 9155e1-9155f7 call 91575b 5212->5216 5217 91560f 5212->5217 5220 9155fc-915602 5216->5220 5219 915611-91561c call 90d833 5217->5219 5219->5213 5223 915621-915625 5220->5223 5224 915604-915609 call 90d804 5220->5224 5225 915627 call 90ed19 5223->5225 5226 91562c-915637 5223->5226 5224->5217 5225->5226 5229 915639-915643 5226->5229 5230 91564e-915668 5226->5230 5229->5230 5232 915645-91564d call 90d833 5229->5232 5230->5219 5233 91566a-915671 5230->5233 5232->5230 5233->5219 5235 915673-91568a call 915204 5233->5235 5235->5219 5239 91568c-915696 5235->5239 5239->5219
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
      • Part of subcall function 009156B9: _abort.LIBCMT ref: 009156EB
      • Part of subcall function 009156B9: _free.LIBCMT ref: 0091571F
      • Part of subcall function 0091532E: GetOEMCP.KERNEL32(00000000,?,?,009155B7,?), ref: 00915359
    • _free.LIBCMT ref: 00915612
    • _free.LIBCMT ref: 00915648
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorLast_abort
    • String ID:
    • API String ID: 2991157371-0
    • Opcode ID: cbf16a26ebb96d8810d121b4801bd5eb47b4aa6780d6d4a5943cba2fa72ff24b
    • Instruction ID: 661249c4e86219032bf41b53bc1174ae1ad8c92576ec4470d06802ded8c7a653
    • Opcode Fuzzy Hash: cbf16a26ebb96d8810d121b4801bd5eb47b4aa6780d6d4a5943cba2fa72ff24b
    • Instruction Fuzzy Hash: 7D318131A04608EFDB10EBA9D881BAD77E9DFC0360F674099E8159B291EB715D81DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 00905C20 Relevance: 20.0, APIs: 13, Instructions: 458networkCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5422 905c20-905ca9 call 8b19f0 5425 905cab-905cad 5422->5425 5426 905caf-905cb4 5422->5426 5427 905cc0-905d1c call 8b2db0 call 8b19f0 5425->5427 5428 905cb7-905cbc 5426->5428 5434 905d22-905d2a 5427->5434 5435 905d1e-905d20 5427->5435 5428->5428 5429 905cbe 5428->5429 5429->5427 5437 905d30-905d35 5434->5437 5436 905d39-905d95 call 906360 call 8b19f0 5435->5436 5443 905d97-905d99 5436->5443 5444 905d9b-905da0 5436->5444 5437->5437 5438 905d37 5437->5438 5438->5436 5445 905dac-905dfb call 906360 call 8b19f0 5443->5445 5446 905da3-905da8 5444->5446 5452 905e01-905e09 5445->5452 5453 905dfd-905dff 5445->5453 5446->5446 5447 905daa 5446->5447 5447->5445 5455 905e10-905e15 5452->5455 5454 905e19-905e50 call 906360 call 8b19f0 5453->5454 5461 905e52-905e54 5454->5461 5462 905e56-905e5e 5454->5462 5455->5455 5456 905e17 5455->5456 5456->5454 5463 905e69-905ed9 call 906360 call 8b19f0 5461->5463 5464 905e60-905e65 5462->5464 5470 905edb-905edd 5463->5470 5471 905edf-905ee4 5463->5471 5464->5464 5465 905e67 5464->5465 5465->5463 5472 905ef0-905f53 call 906360 call 8b19f0 5470->5472 5473 905ee7-905eec 5471->5473 5479 905f55-905f57 5472->5479 5480 905f59-905f5e 5472->5480 5473->5473 5475 905eee 5473->5475 5475->5472 5481 905f6a-905fb0 call 906360 call 8b19f0 5479->5481 5482 905f61-905f66 5480->5482 5488 905fb2-905fb4 5481->5488 5489 905fb6-905fbe 5481->5489 5482->5482 5483 905f68 5482->5483 5483->5481 5491 905fc9-906006 call 906360 call 8b19f0 5488->5491 5490 905fc0-905fc5 5489->5490 5490->5490 5492 905fc7 5490->5492 5497 906008-90600a 5491->5497 5498 90600c-906011 5491->5498 5492->5491 5499 90601d-906073 call 906360 call 8b19f0 5497->5499 5500 906014-906019 5498->5500 5506 906075-906077 5499->5506 5507 906079-90607e 5499->5507 5500->5500 5501 90601b 5500->5501 5501->5499 5508 90608a-9060ca call 906360 call 8b19f0 5506->5508 5509 906081-906086 5507->5509 5515 9060d0-9060d5 5508->5515 5516 9060cc-9060ce 5508->5516 5509->5509 5510 906088 5509->5510 5510->5508 5518 9060d8-9060dd 5515->5518 5517 9060e1-906110 call 906360 call 8b19f0 5516->5517 5524 906112-906114 5517->5524 5525 906116-90611e 5517->5525 5518->5518 5519 9060df 5518->5519 5519->5517 5526 906129-90615d call 906360 call 8b19f0 5524->5526 5527 906120-906125 5525->5527 5533 906163-90616b 5526->5533 5534 90615f-906161 5526->5534 5527->5527 5528 906127 5527->5528 5528->5526 5536 906170-906175 5533->5536 5535 906179-9061bc call 906360 call 8b89b0 call 906490 call 8b2ca0 5534->5535 5546 9061c2-9061ca 5535->5546 5547 9061be-9061c0 5535->5547 5536->5536 5538 906177 5536->5538 5538->5535 5549 9061d0-9061d5 5546->5549 5548 9061d9-9061ee call 906360 5547->5548 5553 9061f0-9061f2 5548->5553 5554 9061f4-9061fc 5548->5554 5549->5549 5550 9061d7 5549->5550 5550->5548 5555 906209-90622b call 906360 WSAStartup 5553->5555 5556 906200-906205 5554->5556 5560 906231-906242 socket 5555->5560 5561 90631f-906335 WSACleanup call 8b2ca0 * 2 5555->5561 5556->5556 5557 906207 5556->5557 5557->5555 5562 906261-906288 call 8b19f0 gethostbyname 5560->5562 5563 906244 WSACleanup 5560->5563 5578 90633a-906353 call 907c12 5561->5578 5571 906299-9062d5 memcpy htons connect 5562->5571 5572 90628a-906297 WSACleanup closesocket 5562->5572 5565 90624a-90625c call 8b2ca0 * 2 5563->5565 5565->5578 5575 9062d7-9062f1 send 5571->5575 5576 906318-906319 closesocket 5571->5576 5572->5565 5575->5572 5579 9062f3-9062f8 5575->5579 5576->5561 5579->5576 5582 9062fa-906312 send 5579->5582 5582->5572 5582->5576
    APIs
    • WSAStartup.WS2_32(00000202,?), ref: 00906223
    • socket.WS2_32(00000002,00000001,00000006), ref: 00906237
    • WSACleanup.WS2_32 ref: 00906244
    • gethostbyname.WS2_32(0092CD50), ref: 0090627E
    • WSACleanup.WS2_32 ref: 0090628A
    • closesocket.WS2_32(00000000), ref: 00906291
    • memcpy.MSVCRT ref: 009062A7
    • htons.WS2_32(00000050), ref: 009062BB
    • connect.WS2_32(00000000,?,00000010), ref: 009062CC
    • send.WS2_32(00000000,00000000,00000000,00000000), ref: 009062E9
    • send.WS2_32(00000000,00000000,00000000,00000000), ref: 0090630A
    • closesocket.WS2_32(00000000), ref: 00906319
    • WSACleanup.WS2_32 ref: 0090631F
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Cleanup$closesocketsend$Startupconnectgethostbynamehtonsmemcpysocket
    • String ID:
    • API String ID: 128753205-0
    • Opcode ID: 8ec50b6426de02856d39c1526054d0c3f1aadd8063fbb195ba797016dfb3430b
    • Instruction ID: 50592bcfa9f2175a79a387c0e960cf9147aca3776c1aa3642de0c3ff8f577fae
    • Opcode Fuzzy Hash: 8ec50b6426de02856d39c1526054d0c3f1aadd8063fbb195ba797016dfb3430b
    • Instruction Fuzzy Hash: 6D1214B05286849EEB29CF34ED167FD7B65FF56308F04925CE442262F2DB70298B9B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00917B45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00917BDE
    • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00917C07
    • GetACP.KERNEL32 ref: 00917C1C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: ACP$OCP
    • API String ID: 2299586839-711371036
    • Opcode ID: 6e2a1e883e14d7bf6cf7a3490a028bc07333b9b3a21be07bf746a072c1f97d44
    • Instruction ID: d4ecd25f6e9274c03de1dd42163bd92009fb63a1089c4363e2471281c4cb3fa4
    • Opcode Fuzzy Hash: 6e2a1e883e14d7bf6cf7a3490a028bc07333b9b3a21be07bf746a072c1f97d44
    • Instruction Fuzzy Hash: 3D21797278C10A96D7348B94D900AE7F3BAEB54F64B568864ED49D7201F732DDC0D390
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00917D19 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910DA4
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DB1
    • GetUserDefaultLCID.KERNEL32 ref: 00917E25
    • IsValidCodePage.KERNEL32(00000000), ref: 00917E80
    • IsValidLocale.KERNEL32(?,00000001), ref: 00917E8F
    • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00917ED7
    • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00917EF6
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
    • String ID:
    • API String ID: 745075371-0
    • Opcode ID: 397170cd69e8c861add2bb27ec8228cfd2c260de10f68cfdeec88d05cc3f8139
    • Instruction ID: f98f4365570557e9536970c09e01dbae17ff3dccaee7a278e71900d43d6c2139
    • Opcode Fuzzy Hash: 397170cd69e8c861add2bb27ec8228cfd2c260de10f68cfdeec88d05cc3f8139
    • Instruction Fuzzy Hash: 93516071B0820F9AEF10DFE5DC41AFAB3B8AF48700F1444A9E915E71A0D7709D8487A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009173E1 Relevance: 6.2, APIs: 4, Instructions: 236COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
    • IsValidCodePage.KERNEL32(00000000), ref: 009174C3
    • _wcschr.LIBVCRUNTIME ref: 00917553
    • _wcschr.LIBVCRUNTIME ref: 00917561
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00917604
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
    • String ID:
    • API String ID: 4212172061-0
    • Opcode ID: 2358138d02b0db0041a6f9eadfc2a9db306e506e6fdcdeeffed58914d083a83f
    • Instruction ID: e636c74507fe4d1b521521b4833c1cef1bc13d9b3a17bbad17b8d059e4099e0b
    • Opcode Fuzzy Hash: 2358138d02b0db0041a6f9eadfc2a9db306e506e6fdcdeeffed58914d083a83f
    • Instruction Fuzzy Hash: 3D61E67170820FAADB24ABA4DC46BFAB7BDEF48710F144469F905D7181EA74EA80C760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009084F8 Relevance: 6.1, APIs: 4, Instructions: 53timethreadCOMMON
    Download Yara Rule
    APIs
    • GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 0090852C
    • GetCurrentThreadId.KERNEL32 ref: 0090853B
    • GetCurrentProcessId.KERNEL32 ref: 00908544
    • QueryPerformanceCounter.KERNEL32(?), ref: 00908551
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
    • String ID:
    • API String ID: 2933794660-0
    • Opcode ID: 0217826c52e9c775206aab01fa75d72557565094c970fea2c0d6846c026f744f
    • Instruction ID: e84e88e08ebd218fc4f0c73f8a5c3675e842a4e97d27664609297c6b9c6cf901
    • Opcode Fuzzy Hash: 0217826c52e9c775206aab01fa75d72557565094c970fea2c0d6846c026f744f
    • Instruction Fuzzy Hash: EB118F71E15208DFDF14CBB4D9445AFB7F4EB08311F5145AAE442E7290EF309A05DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B5500 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 381COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00906DDA: std::regex_error::regex_error.LIBCPMT ref: 00906DE6
      • Part of subcall function 00906DDA: __CxxThrowException@8.LIBVCRUNTIME ref: 00906DF4
    • ___from_strstr_to_strchr.LIBCMT ref: 008B5646
    • ___from_strstr_to_strchr.LIBCMT ref: 008B566A
    Strings
    • abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_, xrefs: 008B5641, 008B5665
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ___from_strstr_to_strchr$Exception@8Throwstd::regex_error::regex_error
    • String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
    • API String ID: 451488043-3812731148
    • Opcode ID: 1207c95ca1a76ce58e9573387be6300a456b16e612422ae91c9431949550f275
    • Instruction ID: 1f54027d74ccf533836b656ec72ace5237571582d3e379703229605603f05849
    • Opcode Fuzzy Hash: 1207c95ca1a76ce58e9573387be6300a456b16e612422ae91c9431949550f275
    • Instruction Fuzzy Hash: EDE15575A00A49DFDB25CF28C490BEABBF2FF49314F240959E482DB791DB71A845CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009177CC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910DA4
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DB1
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00917820
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00917871
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00917931
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorInfoLastLocale$_free$_abort
    • String ID:
    • API String ID: 2829624132-0
    • Opcode ID: 73eb096f2151452f236ecb1b2deab667cffe68bc9b1712bb9777c8f195648662
    • Instruction ID: 76e0ffc911e88aa4c42d5f2a87f1d047ac3612b5bc6b641b7c662ef07f9fe7e0
    • Opcode Fuzzy Hash: 73eb096f2151452f236ecb1b2deab667cffe68bc9b1712bb9777c8f195648662
    • Instruction Fuzzy Hash: A961BE7175820B9FEB299F64CC82BFAB7BCEF04300F1045A9E805D6581EB7499C9DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090CC07 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0090CCFF
    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0090CD09
    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0090CD16
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled$DebuggerPresent
    • String ID:
    • API String ID: 3906539128-0
    • Opcode ID: 2d2cb685d33c36e9f49907b3bbd67096e4ced099ce7ac3e5d90f17121838e8fc
    • Instruction ID: c6b06ab6e1b7cb3e990102b5191b30dcdefb8bf78d3a7bd5192176afe7c036f8
    • Opcode Fuzzy Hash: 2d2cb685d33c36e9f49907b3bbd67096e4ced099ce7ac3e5d90f17121838e8fc
    • Instruction Fuzzy Hash: 2231D5B4941228ABCB21DF64DD8979DBBB8BF48310F5046EAE40CA7291E7709B818F44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090E8F6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetCurrentProcess.KERNEL32(00000000,?,0090E8CC,00000000,00929858,0000000C,0090EA23,00000000,00000002,00000000), ref: 0090E917
    • TerminateProcess.KERNEL32(00000000,?,0090E8CC,00000000,00929858,0000000C,0090EA23,00000000,00000002,00000000), ref: 0090E91E
    • ExitProcess.KERNEL32 ref: 0090E930
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Process$CurrentExitTerminate
    • String ID:
    • API String ID: 1703294689-0
    • Opcode ID: 260995aa17a91ecc2ee646b865e180afd68b413643de973b1180ab63e12ebb71
    • Instruction ID: 114b074d621c20a55deebc3b69e9d324a9ad3966da8ef8b48d366df1688f7857
    • Opcode Fuzzy Hash: 260995aa17a91ecc2ee646b865e180afd68b413643de973b1180ab63e12ebb71
    • Instruction Fuzzy Hash: A0E08C71210508EFCF51AF10DC08AA83B6EEF48B45F008414F8198A171CB35ED82DB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00911A67 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0090EBAD,?,00000006), ref: 00911ABA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: InfoLocale
    • String ID: GetLocaleInfoEx
    • API String ID: 2299586839-2904428671
    • Opcode ID: db27eb4fc4c9d6cb7e19a0248374562ef281dc6be9b3c24f688b97ffee2ac0ff
    • Instruction ID: b3cb150a8ab16518fba1ee9a97ccebea056d19ec49389437816349ce2721ef25
    • Opcode Fuzzy Hash: db27eb4fc4c9d6cb7e19a0248374562ef281dc6be9b3c24f688b97ffee2ac0ff
    • Instruction Fuzzy Hash: 74F02431B8521CBBCF11AF60EC02FEE7F69EF88710F004159FD05262A1CB314D60A695
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00912BD5 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,00912BD0,?,?,?,?,?,?,00000000), ref: 00912E02
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ExceptionRaise
    • String ID:
    • API String ID: 3997070919-0
    • Opcode ID: f5ae3599b62c120e34a6b4c7bd42afffbd0d2d73577b57aef8048265b167d220
    • Instruction ID: dedc9c49757d8ed309d0366f4ee37f7bc62868da4f8d4a60d11f6156f1c8be57
    • Opcode Fuzzy Hash: f5ae3599b62c120e34a6b4c7bd42afffbd0d2d73577b57aef8048265b167d220
    • Instruction Fuzzy Hash: 00B14D752106089FD719DF28C48ABA57BE0FF45364F298698E9DACF2E1C335D9A1CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00917A1C Relevance: 1.6, APIs: 1, Instructions: 83COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910DA4
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DB1
    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00917A70
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$_free$InfoLocale_abort
    • String ID:
    • API String ID: 1663032902-0
    • Opcode ID: eeb4444594d0c4a323ca6363548fb44e9f95a688d50b18cce6535aa7485ba550
    • Instruction ID: b6e796784d81f9079913dbde6baa0232cc7873baef5766c8c23b4e38c0978069
    • Opcode Fuzzy Hash: eeb4444594d0c4a323ca6363548fb44e9f95a688d50b18cce6535aa7485ba550
    • Instruction Fuzzy Hash: 6021717275820BABDB289AA4DC42BFEB7BCEF44310F10017AE905D6581EB75AEC4D750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009176A4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
    • EnumSystemLocalesW.KERNEL32(009177CC,00000001), ref: 00917716
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: bb9792d356ed9510d2113e969ed1604c7e17007571ed6c6b5e76d4aca26b0132
    • Instruction ID: fddc81c2d378486ba80e36556035b0d3e3a193c6ad0d6b7fcbb5596b5f7da9f3
    • Opcode Fuzzy Hash: bb9792d356ed9510d2113e969ed1604c7e17007571ed6c6b5e76d4aca26b0132
    • Instruction Fuzzy Hash: FF11293B3047069FDB18AF78C8916FAF7A1FF84358B15442DE94687A80D7717982C740
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00917C4C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,009179EA,00000000,00000000,?), ref: 00917C78
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$InfoLocale_abort_free
    • String ID:
    • API String ID: 2692324296-0
    • Opcode ID: 514295245dbde101662fddcb0b9841c6539c1bc9cc5c50231170174b973fa2be
    • Instruction ID: 322a4ded557656494b5e431f6403b5b16670ddd70ac260c5e77ca7cf5ed271bd
    • Opcode Fuzzy Hash: 514295245dbde101662fddcb0b9841c6539c1bc9cc5c50231170174b973fa2be
    • Instruction Fuzzy Hash: 6CF0F936B0811BABDB249BA4C805BFAB77CDB80354F044469EC49B3280EA74BD81C6D0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0091773F Relevance: 1.5, APIs: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
    • EnumSystemLocalesW.KERNEL32(00917A1C,00000001), ref: 0091778B
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 1bd02eebb123efdf2ef920dd75836ab8aa3f5c0b89cb6d0d33ac9c958ddae70c
    • Instruction ID: 3af91bdc62cf864f59977bc793e403f16701485d8eeb172d70522bcb7bd0bf6c
    • Opcode Fuzzy Hash: 1bd02eebb123efdf2ef920dd75836ab8aa3f5c0b89cb6d0d33ac9c958ddae70c
    • Instruction Fuzzy Hash: AAF0C83630430A5FDB155F75DC81ABABBA5EFC0368F15442DF9058B590D6719C82C610
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009116C2 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0090D287: EnterCriticalSection.KERNEL32(?,?,0090DF84,00000000,00929838,0000000C,0090DF3F,?,?,?,0090D530,?,?,00910DFA,00000001,00000364), ref: 0090D296
    • EnumSystemLocalesW.KERNEL32(Function_0006167C,00000001,009299C0,0000000C), ref: 009116FA
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: CriticalEnterEnumLocalesSectionSystem
    • String ID:
    • API String ID: 1272433827-0
    • Opcode ID: b541ef4e1ef4b297d218c2f62f562b1975a25d4c3f43411cb630770bb7b1c973
    • Instruction ID: bb49f6f3be3c23c9b0ec9fb10dedfbeeac54ea56cc293fa6a1f02231a709510c
    • Opcode Fuzzy Hash: b541ef4e1ef4b297d218c2f62f562b1975a25d4c3f43411cb630770bb7b1c973
    • Instruction Fuzzy Hash: 95F04F76A60205EFDB21EF78D846B8D77F0AB48721F108119F820DB2E5CB748A81DF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00917659 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
    • EnumSystemLocalesW.KERNEL32(009175B0,00000001), ref: 00917690
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$EnumLocalesSystem_abort_free
    • String ID:
    • API String ID: 1084509184-0
    • Opcode ID: 05d9b832baec6521e822a7ce11435d0bdb4348fdbf0e787f6a7eca7601faf4ba
    • Instruction ID: 8b654a0a704c318d6d3499c27e4ef4364cf2690aab295fda1784168231e22e95
    • Opcode Fuzzy Hash: 05d9b832baec6521e822a7ce11435d0bdb4348fdbf0e787f6a7eca7601faf4ba
    • Instruction Fuzzy Hash: 49F0E53A30420A97CB049F79D845BEABFA5EFC1754B864059FA098B691D671D882C7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00908757 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
    Download Yara Rule
    APIs
    • SetUnhandledExceptionFilter.KERNEL32(Function_00058763,00907F41), ref: 0090875C
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 7a659c440f34c64ff402b9fa2f55bdcc66bbfc8dc2f28e9ee7afe27966373c62
    • Instruction ID: 1db5dcdd5a439e17045f5fc9f77898c576356225b5107c133b4831633d474d49
    • Opcode Fuzzy Hash: 7a659c440f34c64ff402b9fa2f55bdcc66bbfc8dc2f28e9ee7afe27966373c62
    • Instruction Fuzzy Hash:
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00912404 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: HeapProcess
    • String ID:
    • API String ID: 54951025-0
    • Opcode ID: a5d7a8dba12939fee20bd2bd425697f41ed8907c5a849aa35a88781d07b8fec3
    • Instruction ID: b977b2e5b8e9e2f951df21cd09a621efbcb04e02c5ad3e9fb0da0db0659de9a6
    • Opcode Fuzzy Hash: a5d7a8dba12939fee20bd2bd425697f41ed8907c5a849aa35a88781d07b8fec3
    • Instruction Fuzzy Hash: C5A022F03A8202CF8B00CF30AE0830C3AE8FA0A2C0B00C028A008C2030EF308002FB00
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B1A40 Relevance: 1.0, Instructions: 959COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Initstd::locale::_
    • String ID:
    • API String ID: 1620887387-0
    • Opcode ID: 5bef8c9cdfc47b92fe9df1436948c11cdd268be3ce71c1a39ebcbfc0d166d996
    • Instruction ID: a36a7997fafd10497f656c57ac5b809acf61e6cdf1e776fb26e65dfc6923af46
    • Opcode Fuzzy Hash: 5bef8c9cdfc47b92fe9df1436948c11cdd268be3ce71c1a39ebcbfc0d166d996
    • Instruction Fuzzy Hash: 50825A74B052058BEF18CBA8C8A4BADB7A1FF89704F58416CE456EF7A1DB71AD41CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00913759 Relevance: .6, Instructions: 637COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1027f0786a6f7df57b792448af679780a06b7261ab022970396265f429cb4422
    • Instruction ID: f048f1dbbd73a4bb8e5b88608d7a0d3b1db7b6ddefe0bd5058ec867f7808d215
    • Opcode Fuzzy Hash: 1027f0786a6f7df57b792448af679780a06b7261ab022970396265f429cb4422
    • Instruction Fuzzy Hash: AB325322E29F054DD7239635DC22336A65CAFB73C4F15C727F81AB5AAAEB29C5C35100
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090B6D1 Relevance: .3, Instructions: 345COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
    • Instruction ID: d885db7587c9e41faf5bf4c7f9a3e8a19579a961887ab9b2553947df0a453e2a
    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
    • Instruction Fuzzy Hash: D2C17F322051930EEF2D867E847413EBBE95EA27B131A1B6DD4BACB1D4FF20C525D620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090BB06 Relevance: .3, Instructions: 341COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
    • Instruction ID: 730a89fa236338e85f4847e4706a761007d32299e618e5e0d77954283a7a3153
    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
    • Instruction Fuzzy Hash: 22C16F322051A30EEF2D867EC47413EBBE55AA27B131A1B6DD4BACB1D4FF20C525D620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090B29C Relevance: .3, Instructions: 331COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
    • Instruction ID: de17c43f26dabae4d19405f68a5c16fc38a46aef3646dce100742477367c115e
    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
    • Instruction Fuzzy Hash: 08C181322051930EEF2D867EC47413EBBE95AA27B131A0B6DE4B6CB1D5FF20C565D620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090AE84 Relevance: .3, Instructions: 323COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
    • Instruction ID: 5a4c873aa0b182272d175b9c01c7136b31d89926a85550100556dc9f83686ef7
    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
    • Instruction Fuzzy Hash: F9C17E322091930DEF6D863EC43413EBBE95AA27B131A0B6DD4B6CB1D4FF20D569D620
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B2D60 Relevance: .0, Instructions: 29COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: d23c4094b837be603a276dd9b36caba6fc9f4c8d7a97366dcdbfae5905e1f5aa
    • Instruction ID: 05864340f48b03482be713e84753757f073727e56efed2ec53dbb834ba7d62e2
    • Opcode Fuzzy Hash: d23c4094b837be603a276dd9b36caba6fc9f4c8d7a97366dcdbfae5905e1f5aa
    • Instruction Fuzzy Hash: D5F05831744608DFC714CF55C840F6AB7E9FB49B10F1482ADE916CBBA0DB36A800CA40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B1390 Relevance: .0, Instructions: 28COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 7c3dd1f551c5a965b638d44823d94218a89eb2fdf3d51ec60156ca11fcfb748b
    • Instruction ID: ee539ff0532f24d2036e48c715a203240b06237c32b330539573824d3788aa40
    • Opcode Fuzzy Hash: 7c3dd1f551c5a965b638d44823d94218a89eb2fdf3d51ec60156ca11fcfb748b
    • Instruction Fuzzy Hash: 55F0A031744648DFCB14CF54C854F6AB7E8FB09B10F0082ADE81ACBBA0EB35A801CA40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090CEA8 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5314 90cea8-90cedf 5315 90cee5-90ceed 5314->5315 5316 90d1f9-90d201 5314->5316 5317 90cf0b-90cf0d 5315->5317 5318 90ceef-90cf05 call 9110eb 5315->5318 5319 90d203 5316->5319 5320 90d206-90d22e 5316->5320 5322 90cf0f call 90d4fd 5317->5322 5318->5317 5329 90d1c6-90d1eb call 90d833 * 4 5318->5329 5319->5320 5323 90d235-90d245 call 907c12 5320->5323 5326 90cf14-90cf24 call 90d833 5322->5326 5332 90cf25 call 90d4fd 5326->5332 5347 90d1ec-90d1f7 call 90d833 5329->5347 5334 90cf2a-90cf35 call 90d833 5332->5334 5340 90cf36 call 90d4fd 5334->5340 5342 90cf3b-90cf46 call 90d833 5340->5342 5348 90cf47 call 90d4fd 5342->5348 5347->5323 5350 90cf4c-90cf57 call 90d833 5348->5350 5354 90cf5c call 90d4fd 5350->5354 5355 90cf61-90cf72 call 90d833 5354->5355 5355->5329 5358 90cf78-90cf7b 5355->5358 5358->5329 5359 90cf81-90cf83 5358->5359 5359->5329 5360 90cf89-90cf8c 5359->5360 5360->5329 5361 90cf92-90cf95 5360->5361 5361->5329 5362 90cf9b 5361->5362 5363 90cf9d-90cfa6 5362->5363 5363->5363 5364 90cfa8-90cfb7 GetCPInfo 5363->5364 5364->5329 5365 90cfbd-90cfc3 5364->5365 5365->5329 5366 90cfc9-90cffd call 9115d7 5365->5366 5366->5329 5369 90d003-90d031 call 9115d7 5366->5369 5369->5329 5372 90d037-90d03b 5369->5372 5373 90d068-90d08b call 91129d 5372->5373 5374 90d03d-90d040 5372->5374 5373->5329 5380 90d091-90d0c5 5373->5380 5374->5373 5375 90d042 5374->5375 5377 90d045-90d049 5375->5377 5377->5373 5379 90d04b-90d052 5377->5379 5381 90d05c-90d05e 5379->5381 5382 90d107-90d144 5380->5382 5383 90d0c7-90d0ca 5380->5383 5386 90d060-90d066 5381->5386 5387 90d054-90d059 5381->5387 5384 90d146-90d14d 5382->5384 5385 90d18f-90d1c4 5382->5385 5383->5382 5388 90d0cc 5383->5388 5384->5385 5389 90d14f-90d18c call 90d833 * 4 5384->5389 5385->5347 5386->5373 5386->5377 5387->5381 5390 90d0cf-90d0d3 5388->5390 5389->5385 5392 90d104 5390->5392 5393 90d0d5-90d0de 5390->5393 5392->5382 5394 90d0e0-90d0e6 5393->5394 5395 90d0fc-90d102 5393->5395 5397 90d0e9-90d0fa 5394->5397 5395->5390 5395->5392 5397->5395 5397->5397
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$Info
    • String ID:
    • API String ID: 2509303402-0
    • Opcode ID: 16812511dc794368d029de1107674032b599c0fbc909c7c5785b6f0479a15d81
    • Instruction ID: 617f5244fdca6a75e665d338586772c792480927360e8685cfd15aa40d91fd1a
    • Opcode Fuzzy Hash: 16812511dc794368d029de1107674032b599c0fbc909c7c5785b6f0479a15d81
    • Instruction Fuzzy Hash: 17B1A171D053099FDB21DFA8C881BEEBBF9BF48300F144069F959A7292DB75A841DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009169CF Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5584 9169cf-9169e3 5585 916a51-916a59 5584->5585 5586 9169e5-9169ea 5584->5586 5587 916aa0-916ab8 call 916b42 5585->5587 5588 916a5b-916a5e 5585->5588 5586->5585 5589 9169ec-9169f1 5586->5589 5596 916abb-916ac2 5587->5596 5588->5587 5590 916a60-916a9d call 90d833 * 4 5588->5590 5589->5585 5592 9169f3-9169f6 5589->5592 5590->5587 5592->5585 5594 9169f8-916a00 5592->5594 5597 916a02-916a05 5594->5597 5598 916a1a-916a22 5594->5598 5600 916ae1-916ae5 5596->5600 5601 916ac4-916ac8 5596->5601 5597->5598 5602 916a07-916a19 call 90d833 call 915d28 5597->5602 5603 916a24-916a27 5598->5603 5604 916a3c-916a50 call 90d833 * 2 5598->5604 5611 916ae7-916aec 5600->5611 5612 916afd-916b09 5600->5612 5606 916aca-916acd 5601->5606 5607 916ade 5601->5607 5602->5598 5603->5604 5609 916a29-916a3b call 90d833 call 9161e2 5603->5609 5604->5585 5606->5607 5616 916acf-916add call 90d833 * 2 5606->5616 5607->5600 5609->5604 5620 916afa 5611->5620 5621 916aee-916af1 5611->5621 5612->5596 5615 916b0b-916b18 call 90d833 5612->5615 5616->5607 5620->5612 5621->5620 5628 916af3-916af9 call 90d833 5621->5628 5628->5620
    APIs
    • ___free_lconv_mon.LIBCMT ref: 00916A13
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915D45
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915D57
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915D69
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915D7B
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915D8D
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915D9F
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915DB1
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915DC3
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915DD5
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915DE7
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915DF9
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915E0B
      • Part of subcall function 00915D28: _free.LIBCMT ref: 00915E1D
    • _free.LIBCMT ref: 00916A08
      • Part of subcall function 0090D833: HeapFree.KERNEL32(00000000,00000000,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?), ref: 0090D849
      • Part of subcall function 0090D833: GetLastError.KERNEL32(?,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?,?), ref: 0090D85B
    • _free.LIBCMT ref: 00916A2A
    • _free.LIBCMT ref: 00916A3F
    • _free.LIBCMT ref: 00916A4A
    • _free.LIBCMT ref: 00916A6C
    • _free.LIBCMT ref: 00916A7F
    • _free.LIBCMT ref: 00916A8D
    • _free.LIBCMT ref: 00916A98
    • _free.LIBCMT ref: 00916AD0
    • _free.LIBCMT ref: 00916AD7
    • _free.LIBCMT ref: 00916AF4
    • _free.LIBCMT ref: 00916B0C
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
    • String ID:
    • API String ID: 161543041-0
    • Opcode ID: 825aa9f73f4229e17ee9a489f3ff28e39ef490ec795186b096dba3efbae96338
    • Instruction ID: e11a422209d989972a0ce18a1ca4050096794c49016c2248adb721a9972f13a5
    • Opcode Fuzzy Hash: 825aa9f73f4229e17ee9a489f3ff28e39ef490ec795186b096dba3efbae96338
    • Instruction Fuzzy Hash: AF314C31B043099FEB21AEB9E845B9AB3E9EF40310F10C429E859E7191DF71ED80DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00915E26 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 9f24d92f32dfd4bd6f8b41c5f3e5067a62b7645e7a3cc42b6e2367e7f4a257a0
    • Instruction ID: 44acb20fe62a32552a3df76b8ecb96e0366d595cfe0c05abdfc4165b148d3663
    • Opcode Fuzzy Hash: 9f24d92f32dfd4bd6f8b41c5f3e5067a62b7645e7a3cc42b6e2367e7f4a257a0
    • Instruction Fuzzy Hash: 40C10276E41608BFDB20DBE8CD42FEA77F8AF48700F154165FA05FB286D67099819B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00910C51 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00910C65
      • Part of subcall function 0090D833: HeapFree.KERNEL32(00000000,00000000,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?), ref: 0090D849
      • Part of subcall function 0090D833: GetLastError.KERNEL32(?,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?,?), ref: 0090D85B
    • _free.LIBCMT ref: 00910C71
    • _free.LIBCMT ref: 00910C7C
    • _free.LIBCMT ref: 00910C87
    • _free.LIBCMT ref: 00910C92
    • _free.LIBCMT ref: 00910C9D
    • _free.LIBCMT ref: 00910CA8
    • _free.LIBCMT ref: 00910CB3
    • _free.LIBCMT ref: 00910CBE
    • _free.LIBCMT ref: 00910CCC
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: eba72d5dea4f8b1ebf7fe3307ae2960e79194440457c05282e21d50337ad88b8
    • Instruction ID: 6ffa89ad1c8be83af5a3631bf879bec360f779d2801c1133782a3d11bdd875ab
    • Opcode Fuzzy Hash: eba72d5dea4f8b1ebf7fe3307ae2960e79194440457c05282e21d50337ad88b8
    • Instruction Fuzzy Hash: 19117775A05108AFCB01EFD4C942ED93BB5EF84350B9181A5BE084B262D672DE91EB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090F85C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00910D45: GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
      • Part of subcall function 00910D45: _free.LIBCMT ref: 00910D7C
      • Part of subcall function 00910D45: SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
      • Part of subcall function 00910D45: _abort.LIBCMT ref: 00910DC3
    • _memcmp.LIBVCRUNTIME ref: 0090FB06
    • _free.LIBCMT ref: 0090FB77
    • _free.LIBCMT ref: 0090FB90
    • _free.LIBCMT ref: 0090FBC2
    • _free.LIBCMT ref: 0090FBCB
    • _free.LIBCMT ref: 0090FBD7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorLast$_abort_memcmp
    • String ID: C
    • API String ID: 1679612858-1037565863
    • Opcode ID: d5eb1befe38e8b42f008b4645e22ce2b31f5b7a3022beda54c65566187226327
    • Instruction ID: 012103415c0681edffff6db13a1db44fea46481a14fcecd2a4bec4dcbaea405a
    • Opcode Fuzzy Hash: d5eb1befe38e8b42f008b4645e22ce2b31f5b7a3022beda54c65566187226327
    • Instruction Fuzzy Hash: EBB11975A012199FDB24DF18C894BADB7B4FF48314F5085AAE849A7791E731AE90CF40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B7100 Relevance: 10.7, APIs: 7, Instructions: 214COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID:
    • API String ID: 118556049-0
    • Opcode ID: a01977a29b16fcf574ac60d83946f5ab67d132b59ccdfbf4de2cc737a6ad3e9d
    • Instruction ID: 1799494dbcb385fb85ef83d72157faf30b165088e7c19234d285be555506c2e2
    • Opcode Fuzzy Hash: a01977a29b16fcf574ac60d83946f5ab67d132b59ccdfbf4de2cc737a6ad3e9d
    • Instruction Fuzzy Hash: 93B1CFB09147458FD724CF19C484B42BBE0FF59324F15C69EE8588B362E3B5EA84CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0091624B Relevance: 10.7, APIs: 7, Instructions: 204COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 5f47ea5ab4f9e6343402963ed32fcdcae3ce96e3411897811f5547b5bf21f5d6
    • Instruction ID: 984906f4f83068154f08cfbf80aee857615bf52cd9cc92d4db97c6fad4ae12e9
    • Opcode Fuzzy Hash: 5f47ea5ab4f9e6343402963ed32fcdcae3ce96e3411897811f5547b5bf21f5d6
    • Instruction Fuzzy Hash: 0561B571E04219AFDB20DFA4C841BEEBBF8EF44710F144569E954EB291D770AD81DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00919B3D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
    Download Yara Rule
    APIs
    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,0091A2B2,?,00000000,?,00000000,00000000), ref: 00919B7F
    • __fassign.LIBCMT ref: 00919BFA
    • __fassign.LIBCMT ref: 00919C15
    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00919C3B
    • WriteFile.KERNEL32(?,?,00000000,0091A2B2,00000000,?,?,?,?,?,?,?,?,?,0091A2B2,?), ref: 00919C5A
    • WriteFile.KERNEL32(?,?,00000001,0091A2B2,00000000,?,?,?,?,?,?,?,?,?,0091A2B2,?), ref: 00919C93
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
    • String ID:
    • API String ID: 1324828854-0
    • Opcode ID: e44c4881819dab33ae7d85b8c0ea78c638dfb472727f7bb3db976bdc2ef3a38c
    • Instruction ID: 6963fa59db0ba83a309ca27c759c2a7d424ba479f6e06d350819c1047e15bf5f
    • Opcode Fuzzy Hash: e44c4881819dab33ae7d85b8c0ea78c638dfb472727f7bb3db976bdc2ef3a38c
    • Instruction Fuzzy Hash: 655195B1E042499FDB10CFA8D895AEEBBF8FF09310F14451AE995E7251D730E981CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00916720 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00916467: _free.LIBCMT ref: 00916490
    • _free.LIBCMT ref: 0091676E
      • Part of subcall function 0090D833: HeapFree.KERNEL32(00000000,00000000,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?), ref: 0090D849
      • Part of subcall function 0090D833: GetLastError.KERNEL32(?,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?,?), ref: 0090D85B
    • _free.LIBCMT ref: 00916779
    • _free.LIBCMT ref: 00916784
    • _free.LIBCMT ref: 009167D8
    • _free.LIBCMT ref: 009167E3
    • _free.LIBCMT ref: 009167EE
    • _free.LIBCMT ref: 009167F9
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: 2c787a4941dabb1e22ee1c462e5b8ef14b0e9f0bdd24f9a8dba4ce42484360ea
    • Instruction ID: 68c39531b813cdbb4ef0cd2129828809417aa8c84d73f0e506b9b7994849f3e3
    • Opcode Fuzzy Hash: 2c787a4941dabb1e22ee1c462e5b8ef14b0e9f0bdd24f9a8dba4ce42484360ea
    • Instruction Fuzzy Hash: AA1103B1E41B08BAD620FBF0DC47FDB7B9C6F84700F804829B69D661E2EA79B5449750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090C4FD Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,0090C4F4,00909C67,009296D8,00000010,0090942F,?,?,?,?,?,00000000,?), ref: 0090C50B
    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0090C519
    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0090C532
    • SetLastError.KERNEL32(00000000,0090C4F4,00909C67,009296D8,00000010,0090942F,?,?,?,?,?,00000000,?), ref: 0090C584
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLastValue___vcrt_
    • String ID:
    • API String ID: 3852720340-0
    • Opcode ID: 2d1e3b66624d536a6f60e403ae8cf6d411587c3e9a5a939b049671ad1060033b
    • Instruction ID: 8d254d56d2e873106b31984b0b34a905210601380bf56031ecfec1488a5f39a8
    • Opcode Fuzzy Hash: 2d1e3b66624d536a6f60e403ae8cf6d411587c3e9a5a939b049671ad1060033b
    • Instruction Fuzzy Hash: 6D01F2B725E2196EEA2527B4BC85B6B2B9CEB497B53600329F230910F1FF116C41B140
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090D303 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: __cftoe
    • String ID:
    • API String ID: 4189289331-0
    • Opcode ID: d6dfc5abe80bfd44a1f4e5fd82f88a8745a1fdd5149b6a7ce57b84c123d1243c
    • Instruction ID: 83c0d32f4a9bba78d2d03ca63bc962c7a3633ecea15c8edd50d19410100794ee
    • Opcode Fuzzy Hash: d6dfc5abe80bfd44a1f4e5fd82f88a8745a1fdd5149b6a7ce57b84c123d1243c
    • Instruction Fuzzy Hash: 7551E932901205AFDF249BE98C41FAE77ACAF89334F244229F829D61D2DB35D94096A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B3600 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 008B3636
    • std::_Lockit::_Lockit.LIBCPMT ref: 008B3659
    • std::_Lockit::~_Lockit.LIBCPMT ref: 008B3679
    • __CxxThrowException@8.LIBVCRUNTIME ref: 008B36EF
    • std::_Facet_Register.LIBCPMT ref: 008B3705
    • std::_Lockit::~_Lockit.LIBCPMT ref: 008B3710
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
    • String ID:
    • API String ID: 2536120697-0
    • Opcode ID: fe86d573e6a68c0ca1b1b4d866f7f0b83f41b93f72ce4c71dc9bb61ac34f5e3b
    • Instruction ID: ce10edc53ec07b436dfe3bf49ec3ee4e66e5d229a1f6054e418d15b9ac4542d5
    • Opcode Fuzzy Hash: fe86d573e6a68c0ca1b1b4d866f7f0b83f41b93f72ce4c71dc9bb61ac34f5e3b
    • Instruction Fuzzy Hash: 6031B1B1D04218AFCB21DF94D881AEEB7F4FF99324F104129E801A7391DB31AE45DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B3750 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 008B3786
    • std::_Lockit::_Lockit.LIBCPMT ref: 008B37A9
    • std::_Lockit::~_Lockit.LIBCPMT ref: 008B37C9
    • __CxxThrowException@8.LIBVCRUNTIME ref: 008B383F
    • std::_Facet_Register.LIBCPMT ref: 008B3855
    • std::_Lockit::~_Lockit.LIBCPMT ref: 008B3860
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
    • String ID:
    • API String ID: 2536120697-0
    • Opcode ID: 77b288878b7bbbe2e9ad6b8aa63c2aa839ea99ce826d915d18764dd96c55874c
    • Instruction ID: 864f5547b85b570b00cf228bcb365504c850fba0883fa76775539a678ca64664
    • Opcode Fuzzy Hash: 77b288878b7bbbe2e9ad6b8aa63c2aa839ea99ce826d915d18764dd96c55874c
    • Instruction Fuzzy Hash: 3031AEB5D042189FCB21DFA4D880AEEB7B4FF48724F114269E805B7391DB31AE46CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00910D45 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,0090CE3C,?,?,00906E03,?,?,?,00929624,?), ref: 00910D49
    • _free.LIBCMT ref: 00910D7C
    • _free.LIBCMT ref: 00910DA4
    • SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DB1
    • SetLastError.KERNEL32(00000000,?,00929624,?,?,?,?,?,?,?,?), ref: 00910DBD
    • _abort.LIBCMT ref: 00910DC3
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$_free$_abort
    • String ID:
    • API String ID: 3160817290-0
    • Opcode ID: ceda14c3fcf0a913b74eac3f45009dbb23c35d9d304b043d321cdfa047612c1a
    • Instruction ID: 71b5dcf0a4668ae8c15d06604720aa5faf4a99e19e712d3441d64642560418c1
    • Opcode Fuzzy Hash: ceda14c3fcf0a913b74eac3f45009dbb23c35d9d304b043d321cdfa047612c1a
    • Instruction Fuzzy Hash: 6AF0A939349708AAC61133B47C06FEE15799FC2765F254114F958A61D2EE6598C19160
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B1130 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
    • std::_Lockit::_Lockit.LIBCPMT ref: 008B1167
    • ___std_exception_copy.LIBVCRUNTIME ref: 008B11D3
    • __CxxThrowException@8.LIBVCRUNTIME ref: 008B11EB
      • Part of subcall function 0090A91A: RaiseException.KERNEL32(?,?,00906DB9,?,?,?,?,?,?,?,?,00906DB9,?,009295AC,?), ref: 0090A979
    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 008B11F2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: std::_$ExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrow___std_exception_copy
    • String ID: bad locale name
    • API String ID: 2988018378-1405518554
    • Opcode ID: 2c381f0cce5c08af412342de135fcc1271e748859b8fbea55c611ae470546ba7
    • Instruction ID: 5335fee4918404293c5699b75ec90c41ed6fff2f6d149aa80f8f67f45ef02ae7
    • Opcode Fuzzy Hash: 2c381f0cce5c08af412342de135fcc1271e748859b8fbea55c611ae470546ba7
    • Instruction Fuzzy Hash: 1D219C719147489ECB20CFA8C805B8FBBF8FF59710F10461EE445A3781E775A6088BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090E97B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0090E92C,00000000,?,0090E8CC,00000000,00929858,0000000C,0090EA23,00000000,00000002), ref: 0090E99B
    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0090E9AE
    • FreeLibrary.KERNEL32(00000000,?,?,?,0090E92C,00000000,?,0090E8CC,00000000,00929858,0000000C,0090EA23,00000000,00000002), ref: 0090E9D1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: AddressFreeHandleLibraryModuleProc
    • String ID: CorExitProcess$mscoree.dll
    • API String ID: 4061214504-1276376045
    • Opcode ID: 17b940fb9327d60b30ab698014e9472e2ef47ee827a134e3588953734298ff13
    • Instruction ID: 190c09596b36c54d23050ed05aca966b7e2fab1362cf19c6769d595e196d04be
    • Opcode Fuzzy Hash: 17b940fb9327d60b30ab698014e9472e2ef47ee827a134e3588953734298ff13
    • Instruction Fuzzy Hash: D7F04F70B5821CFFDF119BA0DC09BEEBFB8EB48755F004169F805A22A0CB705E81DA90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009120B6 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 25af42fe4ef09500f90fb968f163e876eba0d6c5162d12ec6e728fa62a9247f7
    • Instruction ID: baa77c80c7f006a90165353041f03a6ab5d54e673e39ae9dc465633f03bacde3
    • Opcode Fuzzy Hash: 25af42fe4ef09500f90fb968f163e876eba0d6c5162d12ec6e728fa62a9247f7
    • Instruction Fuzzy Hash: 57718071B0021A9FCF29EB94CC84AFEBB79EF45750B244629E5216B180D7748DD2DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090F3DE Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 0090D86D: HeapAlloc.KERNEL32(00000000,?,?,?,00908A77,?,?,?,?,?,008B1087,?,?,?), ref: 0090D89F
    • _free.LIBCMT ref: 0090F4E9
    • _free.LIBCMT ref: 0090F500
    • _free.LIBCMT ref: 0090F51F
    • _free.LIBCMT ref: 0090F53A
    • _free.LIBCMT ref: 0090F551
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$AllocHeap
    • String ID:
    • API String ID: 1835388192-0
    • Opcode ID: 94e17135632367b35fa8e478ecb9507ffedd42800d152aa1a79546abd1bdd82c
    • Instruction ID: d431226ff160f64f3d6a777594372284ebe9f7e2d7a74b9de724d0128dc572fb
    • Opcode Fuzzy Hash: 94e17135632367b35fa8e478ecb9507ffedd42800d152aa1a79546abd1bdd82c
    • Instruction Fuzzy Hash: CD51AE32A00604AFDB30DF69DC51B6AB7F8EF89720B144579E809D76A0E731EA01CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090FE94 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free
    • String ID:
    • API String ID: 269201875-0
    • Opcode ID: 1d1cf6bd907c2bbaaa4c229552fdf9a57a023ab1902c988244f085115e289f8b
    • Instruction ID: 7fee028e50508d247555f2fff2c77d04a88c45cd665a30fd9b51df401011408b
    • Opcode Fuzzy Hash: 1d1cf6bd907c2bbaaa4c229552fdf9a57a023ab1902c988244f085115e289f8b
    • Instruction Fuzzy Hash: B641D532A002049FCB20DF78C891B5EB7F5EF89714F154569EA15EB791DB31AE02DB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0091129D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(00000006,00000000,0000007F,00920060,00000000,00000000,8B56FF8B,0090EBAD,?,00000006,00000001,00920060,0000007F,?,8B56FF8B,00000001), ref: 009112EA
    • __alloca_probe_16.LIBCMT ref: 00911322
    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00911373
    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00911385
    • __freea.LIBCMT ref: 0091138E
      • Part of subcall function 0090D86D: HeapAlloc.KERNEL32(00000000,?,?,?,00908A77,?,?,?,?,?,008B1087,?,?,?), ref: 0090D89F
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
    • String ID:
    • API String ID: 1857427562-0
    • Opcode ID: 430c4cb044dc0a01c33c9ae96c0a064e3b8d940604f8ef9f56070a923e626d1a
    • Instruction ID: 268a46bfacd420087450d848cc5a167f37b35f87fb7fb60d64e80d561794dee8
    • Opcode Fuzzy Hash: 430c4cb044dc0a01c33c9ae96c0a064e3b8d940604f8ef9f56070a923e626d1a
    • Instruction Fuzzy Hash: AD31DC72B0020AABDF258F64CC45EEE7BA9EB44710F044228FD24D7194E735DC91CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00915A1D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentStringsW.KERNEL32 ref: 00915A26
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00915A49
      • Part of subcall function 0090D86D: HeapAlloc.KERNEL32(00000000,?,?,?,00908A77,?,?,?,?,?,008B1087,?,?,?), ref: 0090D89F
    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00915A6F
    • _free.LIBCMT ref: 00915A82
    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00915A91
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
    • String ID:
    • API String ID: 2278895681-0
    • Opcode ID: e162418f254bde43b65ed784589e6b400412fee0e01220f9447158df2e9cc2d4
    • Instruction ID: b42d6c63d945474b36b9baf0ae64d6c8fc0c3456ddeb2c140c8be65d700d3a9a
    • Opcode Fuzzy Hash: e162418f254bde43b65ed784589e6b400412fee0e01220f9447158df2e9cc2d4
    • Instruction Fuzzy Hash: 5C0124B2742A29FF672056B69C88CFB696CDEC6BA13130228BD05C3210EA618D41A1B0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00910DC9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetLastError.KERNEL32(?,?,?,0090D809,0090D8B0,?,?,00908A77,?,?,?,?,?,008B1087,?,?), ref: 00910DCE
    • _free.LIBCMT ref: 00910E03
    • _free.LIBCMT ref: 00910E2A
    • SetLastError.KERNEL32(00000000,?,?,?), ref: 00910E37
    • SetLastError.KERNEL32(00000000,?,?,?), ref: 00910E40
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorLast$_free
    • String ID:
    • API String ID: 3170660625-0
    • Opcode ID: 2e0f930a73da24e51462ca087a92fd3fa0411701f91498f633b8531845a35073
    • Instruction ID: 2e3fd167cb020b8bbf7ede7db09a807517e6d28ff941a2aa24f2e3a849ad16a0
    • Opcode Fuzzy Hash: 2e0f930a73da24e51462ca087a92fd3fa0411701f91498f633b8531845a35073
    • Instruction Fuzzy Hash: 62017D32349208ABC72227766C45EEF266D9FD13707214924F818E3292EFB28CC1E060
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009161E2 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 009161FA
      • Part of subcall function 0090D833: HeapFree.KERNEL32(00000000,00000000,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?), ref: 0090D849
      • Part of subcall function 0090D833: GetLastError.KERNEL32(?,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?,?), ref: 0090D85B
    • _free.LIBCMT ref: 0091620C
    • _free.LIBCMT ref: 0091621E
    • _free.LIBCMT ref: 00916230
    • _free.LIBCMT ref: 00916242
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: c15acfdda4a66379855fe3d4e6f20c693c898ee3da965430da8470a5bdf69bbc
    • Instruction ID: a4c3f6e4dcd9011a2467bcee93bf1e4068cd618d5c5f5435bbfb6ce39244dfdf
    • Opcode Fuzzy Hash: c15acfdda4a66379855fe3d4e6f20c693c898ee3da965430da8470a5bdf69bbc
    • Instruction Fuzzy Hash: 94F03032A19204ABC631EFD8F882D5A73EDAE447107648C19F439D7545CB34FCC1EAA4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009100E6 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00910104
      • Part of subcall function 0090D833: HeapFree.KERNEL32(00000000,00000000,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?), ref: 0090D849
      • Part of subcall function 0090D833: GetLastError.KERNEL32(?,?,00916495,?,00000000,?,00000000,?,00916739,?,00000007,?,?,00916B67,?,?), ref: 0090D85B
    • _free.LIBCMT ref: 00910116
    • _free.LIBCMT ref: 00910129
    • _free.LIBCMT ref: 0091013A
    • _free.LIBCMT ref: 0091014B
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$ErrorFreeHeapLast
    • String ID:
    • API String ID: 776569668-0
    • Opcode ID: f0c5412d6c436fe9d724cd13f50b7f9ede81383fc353bb13a61929d6ca0ef09d
    • Instruction ID: 9e57bf326b530ed6323db3d5481e3369155df5ef94b8cdfa142b030973cdced9
    • Opcode Fuzzy Hash: f0c5412d6c436fe9d724cd13f50b7f9ede81383fc353bb13a61929d6ca0ef09d
    • Instruction Fuzzy Hash: 46F03AB992A6219FD722AFB4FC0252C7BA4EF547203004216F818632B1C7355993FFC4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090E1D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kGZyUV1upG.exe,00000104), ref: 0090E212
    • _free.LIBCMT ref: 0090E2DD
    • _free.LIBCMT ref: 0090E2E7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: _free$FileModuleName
    • String ID: C:\Users\user\Desktop\kGZyUV1upG.exe
    • API String ID: 2506810119-3519604130
    • Opcode ID: ad9474a9719643da247db76e22b0feaede6f1c54f25edda73aeca64d63857d4a
    • Instruction ID: 0853b19b19e28f6e2983761e7b743ab9d6737c6867e9d29be4313619af97ea17
    • Opcode Fuzzy Hash: ad9474a9719643da247db76e22b0feaede6f1c54f25edda73aeca64d63857d4a
    • Instruction Fuzzy Hash: BF31A1B1A05218EFDB21DF98DC81AAEBBFCEFC5710F104566F914A7291D6708E81DB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B7C10 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
    Download Yara Rule
    APIs
    • new.LIBCMT ref: 008B7C6D
    • new.LIBCMT ref: 008B7CDF
    • Concurrency::cancel_current_task.LIBCPMT ref: 008B7D6D
    • Concurrency::cancel_current_task.LIBCPMT ref: 008B7D72
      • Part of subcall function 008B7E90: new.LIBCMT ref: 008B7EC2
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task
    • String ID:
    • API String ID: 118556049-0
    • Opcode ID: 2dc3797ed0fc6ac80b3cd04e6037b8c1b205901038ccad802048c113beae1528
    • Instruction ID: 548d80e5269acf3012cb23307eb0ce4e43fe4ffa4c0422e74c3bfecdaff6a099
    • Opcode Fuzzy Hash: 2dc3797ed0fc6ac80b3cd04e6037b8c1b205901038ccad802048c113beae1528
    • Instruction Fuzzy Hash: 41418B75A047069FC724CF29C890AA9FBE1FF99311B14866EE899C7752D331F990CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B4290 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • new.LIBCMT ref: 008B42C6
    • Concurrency::cancel_current_task.LIBCPMT ref: 008B4330
      • Part of subcall function 00906D7D: __CxxThrowException@8.LIBVCRUNTIME ref: 00906D94
    • Concurrency::cancel_current_task.LIBCPMT ref: 008B4335
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$Exception@8Throw
    • String ID:
    • API String ID: 3339364867-0
    • Opcode ID: a08711649eb5669a9a1a0d0dc449c42cfb0618a87269a46a5a51f4623f9fd0aa
    • Instruction ID: 707ca5c5885fce5734f62ec957b5674be521304db7a476697b4540c6f835edb5
    • Opcode Fuzzy Hash: a08711649eb5669a9a1a0d0dc449c42cfb0618a87269a46a5a51f4623f9fd0aa
    • Instruction Fuzzy Hash: 731190B2A0051AAFC718DF68C882DAAF7A8FF543107144239E919C3391E771EE64C791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B4ED0 Relevance: 6.1, APIs: 4, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • new.LIBCMT ref: 008B4F06
    • Concurrency::cancel_current_task.LIBCPMT ref: 008B4F70
      • Part of subcall function 00906D7D: __CxxThrowException@8.LIBVCRUNTIME ref: 00906D94
    • Concurrency::cancel_current_task.LIBCPMT ref: 008B4F75
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: Concurrency::cancel_current_task$Exception@8Throw
    • String ID:
    • API String ID: 3339364867-0
    • Opcode ID: 9cbbee8e32b90f32dc8ebc305f7290a3a7abf18e2bd0fe49b99b1586c9e47662
    • Instruction ID: 5f97b8303e5e286fd93dee437f6275cc9c971b7db12814fbc349f331f007bc32
    • Opcode Fuzzy Hash: 9cbbee8e32b90f32dc8ebc305f7290a3a7abf18e2bd0fe49b99b1586c9e47662
    • Instruction Fuzzy Hash: 5B1160B1A01516AFD718DF68D8829BAF7A8FF44310B144639E919C3391EB71FE24C7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00911824 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,009117CB,?,00000000,00000000,00000000,?,00911A35,00000006,FlsSetValue), ref: 00911856
    • GetLastError.KERNEL32(?,009117CB,?,00000000,00000000,00000000,?,00911A35,00000006,FlsSetValue,00920664,0092066C,00000000,00000364,?,00910E17), ref: 00911862
    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009117CB,?,00000000,00000000,00000000,?,00911A35,00000006,FlsSetValue,00920664,0092066C,00000000), ref: 00911870
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: LibraryLoad$ErrorLast
    • String ID:
    • API String ID: 3177248105-0
    • Opcode ID: ea35037e180ed7dd5ac8f9590f8063323ddd6d82243f5f8c22a2c36d83fa1244
    • Instruction ID: 545691dd29276a4fd30914c509c8b9a45e18f292e723a7b386cf448d203dcf0e
    • Opcode Fuzzy Hash: ea35037e180ed7dd5ac8f9590f8063323ddd6d82243f5f8c22a2c36d83fa1244
    • Instruction Fuzzy Hash: 4901F73676922EFBDB318A789C44AE6775CAF497A1B108660FB0ED3140D724D841C6E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 009093EA Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ___BuildCatchObject.LIBVCRUNTIME ref: 00909401
      • Part of subcall function 00909A39: ___AdjustPointer.LIBCMT ref: 00909A83
    • _UnwindNestedFrames.LIBCMT ref: 00909418
    • ___FrameUnwindToState.LIBVCRUNTIME ref: 0090942A
    • CallCatchBlock.LIBVCRUNTIME ref: 0090944E
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
    • String ID:
    • API String ID: 2633735394-0
    • Opcode ID: 2b147a754eb2872ebc8fdcf565fcaff096bfe3dfa664835812cca1db22f0c56c
    • Instruction ID: 2fc07eed21e3e9aed518e61f532a831748bbf6951843afd0b3bcff64f43e02e0
    • Opcode Fuzzy Hash: 2b147a754eb2872ebc8fdcf565fcaff096bfe3dfa664835812cca1db22f0c56c
    • Instruction Fuzzy Hash: DA01E532400109BFCF126F55CC45EEA7BBAEF88754F158014F918661A2D776E8A2EBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B4420 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 44edd02de8b77c63a7b644a902c5084350287424c1cadf83eb20808f932732aa
    • Instruction ID: 93a96ea7da0c60f059dea61fbf4b9e158e10fdb3bf3f34619fa2fc82ca109197
    • Opcode Fuzzy Hash: 44edd02de8b77c63a7b644a902c5084350287424c1cadf83eb20808f932732aa
    • Instruction Fuzzy Hash: 25F027B2A452040ED618EB749843B6E7384EFA0360710423AF21BC23D2F622ED71815A
    Uniqueness

    Uniqueness Score: -1.00%

    Function 008B4D70 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: dce6c199081048989e6eda411506324274c8179fb52135dfae83c246bb68abff
    • Instruction ID: baf2b1385f99e78c243f19fccb310b5c296ad7f9d05c1e83127e26d86ac8d252
    • Opcode Fuzzy Hash: dce6c199081048989e6eda411506324274c8179fb52135dfae83c246bb68abff
    • Instruction Fuzzy Hash: 77F0ECB3A441040ED61CE7B49853EAE7398DFA03A0704063EF21BC63D3F622ED65C156
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090C416 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
    Download Yara Rule
    APIs
    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0090C416
    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0090C41B
    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0090C420
      • Part of subcall function 0090C78E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0090C79F
    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0090C435
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
    • String ID:
    • API String ID: 1761009282-0
    • Opcode ID: 9047f225a710797a61a8bf253e382432c5199412e9a5610390c563821c608de7
    • Instruction ID: d2c4e9b4d8a978285a947e6a5c410efe9f4a30c2e6d21eeff20278b2f4287e65
    • Opcode Fuzzy Hash: 9047f225a710797a61a8bf253e382432c5199412e9a5610390c563821c608de7
    • Instruction Fuzzy Hash: 41C04CD91042055DDC203BB172637BD23442CE67D5BC42BC1F941371E35B09040E3432
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0090DA9D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
    Download Yara Rule
    APIs
    • __startOneArgErrorHandling.LIBCMT ref: 0090DB2D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ErrorHandling__start
    • String ID: pow
    • API String ID: 3213639722-2276729525
    • Opcode ID: 2ba60af0cd228f3551a0af03b5d16ba672bb096b2b517793321f611aa425e730
    • Instruction ID: 447979f9e97938c1fd24168809f7c7ccbda129495682e333140936b9faa75014
    • Opcode Fuzzy Hash: 2ba60af0cd228f3551a0af03b5d16ba672bb096b2b517793321f611aa425e730
    • Instruction Fuzzy Hash: 07519161B1E1098EDB21BB54CD013FA7BECDB85750F208D68E0D5862E9EB358CD1EA46
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00917240 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
    Download Yara Rule
    APIs
    • GetACP.KERNEL32(?,20001004,?,00000002), ref: 0091731B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID:
    • String ID: ACP$OCP
    • API String ID: 0-711371036
    • Opcode ID: 3539d6df5050d74613802da016d8eaf49d9345143def945f13d55dd89419814d
    • Instruction ID: 80fb5f53f0dfa20ff89f672f7987b7c3fa9e26c899be5d249a8093e4bdd0a64f
    • Opcode Fuzzy Hash: 3539d6df5050d74613802da016d8eaf49d9345143def945f13d55dd89419814d
    • Instruction Fuzzy Hash: BD219566B0810AA6DB248AD59901BD7E3BEAB64B50B564C64FD25D7104E732DE82C250
    Uniqueness

    Uniqueness Score: -1.00%

    Function 00911E3A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00911ED0
    • GetLastError.KERNEL32(?,00000000), ref: 00911EDE
    • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,?,00000000,?,00000000), ref: 00911F39
    Memory Dump Source
    • Source File: 00000000.00000002.4062882740.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
    • Associated: 00000000.00000002.4062861774.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062924649.000000000091C000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062941314.000000000092B000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.4062954973.000000000092E000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_8b0000_kGZyUV1upG.jbxd
    Similarity
    • API ID: ByteCharMultiWide$ErrorLast
    • String ID:
    • API String ID: 1717984340-0
    • Opcode ID: 3b4fc3e5d6f4b9bcf913b878bce13864f7c8c21a6a9a2449382da1ccb28447e7
    • Instruction ID: 82c2925412d4c71e5b89912471c27e88ed429f6ddaa590cf436848789629d4e8
    • Opcode Fuzzy Hash: 3b4fc3e5d6f4b9bcf913b878bce13864f7c8c21a6a9a2449382da1ccb28447e7
    • Instruction Fuzzy Hash: A341C631B0424EBFDF219F64C844BFABBA8EF41310F158159FA5997291D7308D82CB91
    Uniqueness

    Uniqueness Score: -1.00%