Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SXQdCnmxiH.exe

Overview

General Information

Sample name:SXQdCnmxiH.exe
renamed because original name is a hash value
Original sample name:1f5592d748bf37eb7b97cf5a07a5ccb0.exe
Analysis ID:1465910
MD5:1f5592d748bf37eb7b97cf5a07a5ccb0
SHA1:337029c03bdba78ca2dd23ee587af64e10ab77b4
SHA256:c7eb9942feb36de4a332e007e5161eeee74607257af33ababa044e3333d492fc
Tags:32exetrojan
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after accessing registry keys)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SXQdCnmxiH.exe (PID: 4460 cmdline: "C:\Users\user\Desktop\SXQdCnmxiH.exe" MD5: 1F5592D748BF37EB7B97CF5A07A5CCB0)
    • conhost.exe (PID: 5520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "127.0.0.1:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-WSY52E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SXQdCnmxiH.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
    SXQdCnmxiH.exeREMCOS_RAT_variantsunknownunknown
    • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
    • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
    • 0x58218:$str_b2: Executing file:
    • 0x58c1c:$str_b3: GetDirectListeningPort
    • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
    • 0x587b8:$str_b7: \update.vbs
    • 0x58244:$str_b9: Downloaded file:
    • 0x58230:$str_b10: Downloading file:
    • 0x582d4:$str_b12: Failed to upload file:
    • 0x58be4:$str_b13: StartForward
    • 0x58c04:$str_b14: StopForward
    • 0x58710:$str_b15: fso.DeleteFile "
    • 0x586a4:$str_b16: On Error Resume Next
    • 0x58740:$str_b17: fso.DeleteFolder "
    • 0x582c4:$str_b18: Uploaded file:
    • 0x58284:$str_b19: Unable to delete:
    • 0x586d8:$str_b20: while fso.FileExists("
    • 0x58471:$str_c0: [Firefox StoredLogins not found]
    • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
    • 0x58381:$str_c3: [Chrome StoredLogins not found]
    • 0x58498:$str_c6: \logins.json

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000000.2021765642.000000000044D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          Process Memory Space: SXQdCnmxiH.exe PID: 4460JoeSecurity_RemcosYara detected Remcos RATJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SXQdCnmxiH.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.SXQdCnmxiH.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x58218:$str_b2: Executing file:
              • 0x58c1c:$str_b3: GetDirectListeningPort
              • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x587b8:$str_b7: \update.vbs
              • 0x58244:$str_b9: Downloaded file:
              • 0x58230:$str_b10: Downloading file:
              • 0x582d4:$str_b12: Failed to upload file:
              • 0x58be4:$str_b13: StartForward
              • 0x58c04:$str_b14: StopForward
              • 0x58710:$str_b15: fso.DeleteFile "
              • 0x586a4:$str_b16: On Error Resume Next
              • 0x58740:$str_b17: fso.DeleteFolder "
              • 0x582c4:$str_b18: Uploaded file:
              • 0x58284:$str_b19: Unable to delete:
              • 0x586d8:$str_b20: while fso.FileExists("
              • 0x58471:$str_c0: [Firefox StoredLogins not found]
              • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
              • 0x58381:$str_c3: [Chrome StoredLogins not found]
              • 0x58498:$str_c6: \logins.json
              0.0.SXQdCnmxiH.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                0.0.SXQdCnmxiH.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                • 0x58338:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x58848:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x58218:$str_b2: Executing file:
                • 0x58c1c:$str_b3: GetDirectListeningPort
                • 0x58638:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x587b8:$str_b7: \update.vbs
                • 0x58244:$str_b9: Downloaded file:
                • 0x58230:$str_b10: Downloading file:
                • 0x582d4:$str_b12: Failed to upload file:
                • 0x58be4:$str_b13: StartForward
                • 0x58c04:$str_b14: StopForward
                • 0x58710:$str_b15: fso.DeleteFile "
                • 0x586a4:$str_b16: On Error Resume Next
                • 0x58740:$str_b17: fso.DeleteFolder "
                • 0x582c4:$str_b18: Uploaded file:
                • 0x58284:$str_b19: Unable to delete:
                • 0x586d8:$str_b20: while fso.FileExists("
                • 0x58471:$str_c0: [Firefox StoredLogins not found]
                • 0x583a5:$str_c2: [Chrome StoredLogins found, cleared!]
                • 0x58381:$str_c3: [Chrome StoredLogins not found]
                • 0x58498:$str_c6: \logins.json

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: SXQdCnmxiH.exeAvira: detected
                Found malware configuration
                Source: 00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-WSY52E", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for submitted file
                Source: SXQdCnmxiH.exeReversingLabs: Detection: 84%
                Source: SXQdCnmxiH.exeVirustotal: Detection: 79%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: SXQdCnmxiH.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2021765642.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SXQdCnmxiH.exe PID: 4460, type: MEMORYSTR
                Machine Learning detection for sample
                Source: SXQdCnmxiH.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042B19B CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0042B19B
                Source: SXQdCnmxiH.exe, 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_1f568529-9
                Source: SXQdCnmxiH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_004081F9
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004072E5
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,0_2_0041474A
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00407733
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00440A49 FindFirstFileExA,0_2_00440A49
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00404CF3 FindFirstFileW,FindNextFileW,0_2_00404CF3
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00405C8E
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_00407FDE
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_0040511A

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 127.0.0.1
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,0_2_0040F4A7
                Source: SXQdCnmxiH.exeString found in binary or memory: http://geoplugin.net/json.gp
                Source: SXQdCnmxiH.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,0_2_0040F4A7
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,0_2_0040F4A7
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,0_2_0040F4A7

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: SXQdCnmxiH.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2021765642.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SXQdCnmxiH.exe PID: 4460, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00414D34 SystemParametersInfoW,0_2_00414D34

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: SXQdCnmxiH.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.0.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00414085 OpenProcess,NtSuspendProcess,CloseHandle,0_2_00414085
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004140B1 OpenProcess,NtResumeProcess,CloseHandle,0_2_004140B1
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040F4A7 SetEvent,GetTickCount,DeleteFileW,ExitProcess,Sleep,Sleep,URLDownloadToFileW,MessageBoxW,ExitWindowsEx,LoadLibraryA,GetProcAddress,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,SetWindowTextW,StrToIntA,CreateThread,ShowWindow,SetForegroundWindow,ShowWindow,0_2_0040F4A7
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041601F0_2_0041601F
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004312170_2_00431217
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042E2200_2_0042E220
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042B2A60_2_0042B2A6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0044B4700_2_0044B470
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004304CE0_2_004304CE
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004454FB0_2_004454FB
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041F4880_2_0041F488
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040F4A70_2_0040F4A7
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004175D60_2_004175D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0043164C0_2_0043164C
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0043B6800_2_0043B680
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004476B80_2_004476B8
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042D76E0_2_0042D76E
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0043680C0_2_0043680C
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004309CA0_2_004309CA
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040D9A00_2_0040D9A0
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00436A3B0_2_00436A3B
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041FB260_2_0041FB26
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041FC690_2_0041FC69
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00445C190_2_00445C19
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00430DE20_2_00430DE2
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041EF910_2_0041EF91
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: String function: 0042BE33 appears 34 times
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: String function: 0042C720 appears 50 times
                Source: SXQdCnmxiH.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: SXQdCnmxiH.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.0.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@2/1@0/1
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00410D25 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00410D25
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040A7FF CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0040A7FF
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00413B3A FindResourceA,LoadResource,LockResource,SizeofResource,0_2_00413B3A
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041311D
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-WSY52E
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5520:120:WilError_03
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: \~F0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: \~F0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: Software\0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: Rmc-WSY52E0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: Exe0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: Exe0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: licence0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: Administrator0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: User0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: del0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: del0_2_0040A1D6
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCommand line argument: del0_2_0040A1D6
                Source: SXQdCnmxiH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: SXQdCnmxiH.exeReversingLabs: Detection: 84%
                Source: SXQdCnmxiH.exeVirustotal: Detection: 79%
                Source: unknownProcess created: C:\Users\user\Desktop\SXQdCnmxiH.exe "C:\Users\user\Desktop\SXQdCnmxiH.exe"
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeSection loaded: mswsock.dllJump to behavior
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SXQdCnmxiH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SXQdCnmxiH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SXQdCnmxiH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SXQdCnmxiH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SXQdCnmxiH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SXQdCnmxiH.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00414EA2
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0044A5D6 push ecx; ret 0_2_0044A5E9
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042C766 push ecx; ret 0_2_0042C779
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0044AE38 push eax; ret 0_2_0044AE56
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00404A3B ShellExecuteW,URLDownloadToFileW,0_2_00404A3B
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041311D OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_0041311D
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00414EA2
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040A6C0 Sleep,ExitProcess,0_2_0040A6C0
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_00412E4B
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeWindow / User API: threadDelayed 5831Jump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeWindow / User API: threadDelayed 4116Jump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-41211
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exe TID: 748Thread sleep time: -17493000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exe TID: 748Thread sleep time: -12348000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004081F9 FindFirstFileA,FindClose,FindNextFileA,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_004081F9
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004072E5 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_004072E5
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0041474A FindFirstFileW,FindNextFileW,RemoveDirectoryW,FindClose,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,0_2_0041474A
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00407733 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,0_2_00407733
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00440A49 FindFirstFileExA,0_2_00440A49
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00404CF3 FindFirstFileW,FindNextFileW,0_2_00404CF3
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00405C8E __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,0_2_00405C8E
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00407FDE FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_00407FDE
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040511A SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_0040511A
                Source: SXQdCnmxiH.exe, 00000000.00000002.4473295655.00000000005C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004320EC
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00414EA2 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_00414EA2
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004389B4 mov eax, dword ptr fs:[00000030h]0_2_004389B4
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0040CB6C SetLastError,GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,0_2_0040CB6C
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004320EC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004320EC
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042C52B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042C52B
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042C6BD SetUnhandledExceptionFilter,0_2_0042C6BD
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042C8EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0042C8EC
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_004124EF mouse_event,0_2_004124EF
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_0042C37B cpuid 0_2_0042C37B
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: EnumSystemLocalesW,0_2_0044416B
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: EnumSystemLocalesW,0_2_00444120
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: EnumSystemLocalesW,0_2_00444206
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00444293
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetLocaleInfoW,0_2_0043D31C
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetLocaleInfoW,0_2_004444E3
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_0044460C
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetLocaleInfoW,0_2_00444713
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetLocaleInfoA,0_2_0040A7D3
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004447E0
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00443EA8
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: EnumSystemLocalesW,0_2_0043CEB5
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00413B81 GetLocalTime,0_2_00413B81
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: 0_2_00413C9F CreateThread,GetComputerNameExW,GetUserNameW,0_2_00413C9F

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: SXQdCnmxiH.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2021765642.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SXQdCnmxiH.exe PID: 4460, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_00407EC0
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_00407FDE
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: \key3.db0_2_00407FDE

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-WSY52EJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: SXQdCnmxiH.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.SXQdCnmxiH.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.2021765642.000000000044D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: SXQdCnmxiH.exe PID: 4460, type: MEMORYSTR
                Source: C:\Users\user\Desktop\SXQdCnmxiH.exeCode function: cmd.exe0_2_00403B0B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services11
                Archive Collected Data                		11
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts12
                Command and Scripting Interpreter                		1
                Windows Service                		1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		2
                Credentials In Files                		1
                Account Discovery                		Remote Desktop Protocol3
                Clipboard Data                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		Logon Script (Windows)1
                Windows Service                		1
                DLL Side-Loading                		Security Account Manager1
                System Service Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Remote Access Software                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Process Injection                		1
                Virtualization/Sandbox Evasion                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture1
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Access Token Manipulation                		LSA Secrets22
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Process Injection                		Cached Domain Credentials21
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SXQdCnmxiH.exe84%ReversingLabsWin32.Trojan.DumpDacic
                SXQdCnmxiH.exe80%VirustotalBrowse
                SXQdCnmxiH.exe100%AviraBDS/Backdoor.Gen
                SXQdCnmxiH.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://geoplugin.net/json.gp/C0%URL Reputationsafe
                127.0.0.10%Avira URL Cloudsafe
                127.0.0.10%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                127.0.0.1true
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://geoplugin.net/json.gpSXQdCnmxiH.exefalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gp/CSXQdCnmxiH.exefalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious

                Private

                IP
                127.0.0.1

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1465910
                Start date and time:2024-07-02 08:35:57 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 18s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:5
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:SXQdCnmxiH.exe
                renamed because original name is a hash value
                Original Sample Name:1f5592d748bf37eb7b97cf5a07a5ccb0.exe
                Detection:MAL
                Classification:mal100.rans.troj.spyw.evad.winEXE@2/1@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 33
                • Number of non-executed functions: 155
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information

                Simulations

                Behavior and APIs

                TimeTypeDescription
                02:37:22API Interceptor4206216x Sleep call for process: SXQdCnmxiH.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                \Device\ConDrv

                Download File
                Process:C:\Users\user\Desktop\SXQdCnmxiH.exe
                File Type:ISO-8859 text, with CRLF line terminators
                Category:dropped
                Size (bytes):8805
                Entropy (8bit):4.691226838884723
                Encrypted:false
                SSDEEP:48:URmRdEVQKZEdAhWl4FB8m5SKRfh8PIcKeZD8Ijxkf2y0pXk2z/guEqJr5KJxdV2G:UuciXj8kpR+qzKfVQtEO92EjmkQ9T
                MD5:22822DB2EFAEC6E3E491987D78534AD8
                SHA1:08B51007E2994A330DF515379313DC364EC8588D
                SHA-256:F8A517A46B65A557F044F7993FADE014D7C096931331567EF88EE6A73611406E
                SHA-512:A6CC1A43A3DCF8261FC1719EA99E8421FE53877DCCB6A69E94741EDC3C9C3B0649425CA3373E6906FD676ED1E9D27C080E43B6E33B2BD56D54F644B171D0EE16
                Malicious:false
                Reputation:low
                Preview:... ______ ...(_____ \ ... _____) )_____ ____ ____ ___ ___ ...| __ /| ___ | \ / ___) _ \ /___)...| | \ \| ____| | | ( (__| |_| |___ |...|_| |_|_____)_|_|_|\____)___/(___/ .....Remcos v5.0.0 Light.... BreakingSecurity.net....02:36:46:406 i | Remcos Agent initialized..02:36:46:422 i | Access Level: Administrator..02:36:46:437 i | Connecting | TLS On | 127.0.0.1:2404..02:36:48:500 E | Connection Refused..02:36:49:515 i | Connecting | TLS On | 127.0.0.1:2404..02:36:51:562 E | Connection Refused..02:36:52:578 i | Connecting | TLS On | 127.0.0.1:2404..02:36:54:640 E | Connection Refused..02:36:55:656 i | Connecting | TLS On | 127.0.0.1:2404..02:36:57:719 E | Connection Refused..02:36:58:734 i | Connecting | TLS On | 127.0.0.1:2404..02:37:00:765 E | Connection Refused..02:37:01:781 i | Connecting | TLS On | 127.0.0.1:2404..02:37:03:812 E | Connection Refused..02:37:04:828 i | Connecting | TLS On | 127.0.0.1:240

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):6.561942170181937
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:SXQdCnmxiH.exe
                File size:440'320 bytes
                MD5:1f5592d748bf37eb7b97cf5a07a5ccb0
                SHA1:337029c03bdba78ca2dd23ee587af64e10ab77b4
                SHA256:c7eb9942feb36de4a332e007e5161eeee74607257af33ababa044e3333d492fc
                SHA512:8798b4957dd4c42498693f275fcf89fb09de6a42378e3e121302b82463d10d8998249841809711a3dce1b933dd4b9d91392c9a5eb4ab8baad09d2be12c5bf0f5
                SSDEEP:6144:pCJBSkHyP4DivRrO+d3cyU6320ho4nbJAj0N91EU7ZUFbz68AO2ZjXH76crD6B3:pCJB/RuFhU6ho0ej0N91HFAAZ77UB3
                TLSH:6F949E12B492C032C17212740E29FB7599BCBC212936597B73EA5E5BBE741C1BB36363
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............,...,...,MEj,...,MEh,X..,MEi,...,...,...,gy\,...,T..-...,T..-...,T..-...,...,...,...,...,N..-...,N.d,...,N..-...,Rich...

                File Icon

                Icon Hash:95694d05214c1b33

                Static PE Info

                General

                Entrypoint:0x42c2ee
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:TERMINAL_SERVER_AWARE
                Time Stamp:0x66728C31 [Wed Jun 19 07:43:45 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:8a3b06a792183c402d038c6ccea86944

                Entrypoint Preview

                Instruction
                call 00007F45147EBCDDh
                jmp 00007F45147EB6E3h
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F45147C8B5Ah
                mov dword ptr [esi], 0044D608h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0044D610h
                mov dword ptr [ecx], 0044D608h
                ret
                push ebp
                mov ebp, esp
                push esi
                push dword ptr [ebp+08h]
                mov esi, ecx
                call 00007F45147C8B27h
                mov dword ptr [esi], 0044D624h
                mov eax, esi
                pop esi
                pop ebp
                retn 0004h
                and dword ptr [ecx+04h], 00000000h
                mov eax, ecx
                and dword ptr [ecx+08h], 00000000h
                mov dword ptr [ecx+04h], 0044D62Ch
                mov dword ptr [ecx], 0044D624h
                ret
                push ebp
                mov ebp, esp
                sub esp, 0Ch
                lea ecx, dword ptr [ebp-0Ch]
                call 00007F45147EB82Fh
                push 0046152Ch
                lea eax, dword ptr [ebp-0Ch]
                push eax
                call 00007F45147EE0AFh
                int3
                push ebp
                mov ebp, esp
                and dword ptr [00464CF4h], 00000000h
                sub esp, 2Ch
                push ebx
                xor ebx, ebx
                inc ebx
                or dword ptr [00464008h], ebx
                push 0000000Ah
                call 00007F4514809A86h
                test eax, eax
                je 00007F45147EB9CDh
                and dword ptr [ebp-14h], 00000000h
                xor eax, eax
                or dword ptr [00464008h], 02h
                xor ecx, ecx
                push esi
                push edi
                mov dword ptr [00004CF4h], ebx

                Rich Headers

                Programming Language:
                • [C++] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x61ee00xf0.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x6c0000x4ae0.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x3240.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x606200x38.rdata
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x606b40x18.rdata
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x606580x40.rdata
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x4d0000x458.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x4b65e0x4b800db294eb3652167aac011a6f88084697aFalse0.5698403870033113data6.593617980898634IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rdata0x4d0000x166580x1680044d09f38441ed2ef4311a469320c0844False0.5041124131944444OpenPGP Public Key Version 65.864615616592108IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x640000x58040xe00c2f8f7020787d3b2510df7c8e5ebb891False0.22098214285714285DOS executable (block device driver @\273\)2.9547475152611895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .tls0x6a0000x90x2001f354d76203061bfdd5a53dae48d5435False0.033203125data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .gfids0x6b0000x2300x400800849abfeb58a77f7c196a6ccde4afcFalse0.333984375data2.4412722468785604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x6c0000x4ae00x4c00beabf07408719e39a28b778a9ca40537False0.27801192434210525data3.983593042450432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x710000x32400x3400e5f4a62ea9b11557f22221f2b6eacc1cFalse0.7478966346153846data6.6079153889088955IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x6c18c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                RT_ICON0x6c5f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                RT_ICON0x6cf7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                RT_ICON0x6e0240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                RT_RCDATA0x705cc0x4d2data1.0089141004862237
                RT_GROUP_ICON0x70aa00x3edataEnglishUnited States0.8064516129032258

                Imports

                DLLImport
                KERNEL32.dllVirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcAddress, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetCurrentProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetCurrentProcessId, GetTickCount, GlobalUnlock, LocalAlloc, GetModuleHandleA, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, RemoveDirectoryW, FindResourceA, OpenProcess, lstrcatW, LockResource, LoadResource, LocalFree, GetFileSize, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindNextVolumeW, SetLastError, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, HeapReAlloc, GetACP, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, VirtualProtect, Process32FirstW, Process32NextW, CreateToolhelp32Snapshot, GetLocaleInfoA, ExitProcess, CreateMutexA, GetModuleFileNameW, GetLongPathNameW, ExpandEnvironmentStringsA, GetLastError, WaitForSingleObject, FindNextFileA, FindFirstFileA, MoveFileW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, SetFileAttributesW, GetFileAttributesW, CreateFileW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, CreateDirectoryW, CreateProcessA, Sleep, PeekNamedPipe, CreatePipe, TerminateProcess, WriteFile, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, CloseHandle, SetEvent, CreateEventW, AllocConsole, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetModuleHandleW, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
                USER32.dllEnumWindows, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, SetForegroundWindow, SetClipboardData, GetClipboardData, MessageBoxW, IsWindowVisible, CloseWindow, GetWindowThreadProcessId, SendInput, EnumDisplaySettingsW, mouse_event, DrawIcon, GetSystemMetrics, GetIconInfo, SystemParametersInfoW, GetForegroundWindow, GetCursorPos, RegisterClassExA, AppendMenuA, CreateWindowExA, DefWindowProcA, TrackPopupMenu, CreatePopupMenu, ShowWindow, OpenClipboard, SetWindowTextW, ExitWindowsEx, EmptyClipboard, CloseClipboard
                GDI32.dllCreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, BitBlt
                ADVAPI32.dllRegDeleteKeyA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                SHLWAPI.dllStrToIntA, PathFileExistsA, PathFileExistsW
                WINMM.dllPlaySoundW, mciSendStringA, mciSendStringW
                WS2_32.dllconnect, socket, send, WSAStartup, recv, htons, htonl, getservbyname, inet_ntoa, ntohs, getservbyport, gethostbyaddr, WSAGetLastError, WSASetLastError, inet_addr, closesocket, gethostbyname
                urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                gdiplus.dllGdiplusStartup, GdipDisposeImage, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipGetImageEncoders, GdipCloneImage, GdipAlloc
                WININET.dllInternetOpenW, InternetCloseHandle, InternetReadFile, InternetOpenUrlW

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:02:36:45
                Start date:02/07/2024
                Path:C:\Users\user\Desktop\SXQdCnmxiH.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\SXQdCnmxiH.exe"
                Imagebase:0x400000
                File size:440'320 bytes
                MD5 hash:1F5592D748BF37EB7B97CF5A07A5CCB0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4473295655.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2021765642.000000000044D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:false

                General

                Target ID:1
                Start time:02:36:46
                Start date:02/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6d64d0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:4.3%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:15.2%
                  Total number of Nodes:1168
                  Total number of Limit Nodes:18
                  execution_graph 41395 40f846 138 API calls 41217 415a49 41218 415b25 CreatePopupMenu AppendMenuA 41217->41218 41219 415a5a 41217->41219 41220 415b40 41218->41220 41221 415a65 41219->41221 41222 415b0a 41219->41222 41224 415a6c DefWindowProcA 41221->41224 41226 415a81 41221->41226 41227 415ace IsWindowVisible 41221->41227 41222->41220 41223 415b10 Shell_NotifyIconA ExitProcess 41222->41223 41224->41220 41226->41224 41228 415a9f GetCursorPos SetForegroundWindow TrackPopupMenu 41226->41228 41229 415aee ShowWindow SetForegroundWindow 41227->41229 41230 415ade ShowWindow 41227->41230 41228->41220 41229->41220 41230->41220 41400 43e857 34 API calls 2 library calls 41509 42be5b 38 API calls 4 library calls 41511 411264 136 API calls 41515 40b26d LeaveCriticalSection 41516 431e70 5 API calls 2 library calls 41519 40b27d EnterCriticalSection 41408 43bc01 21 API calls 3 library calls 41409 445c00 21 API calls 41410 401005 31 API calls pre_c_initialization 41415 401016 32 API calls pre_c_initialization 41522 438e18 31 API calls 41416 42f022 49 API calls 2 library calls 41417 432428 36 API calls 5 library calls 41420 401033 29 API calls pre_c_initialization 41421 437c34 27 API calls 3 library calls 41526 40fe3a 46 API calls 41423 42cc39 DeleteCriticalSection std::_Init_locks::~_Init_locks 41527 404a3b 69 API calls 41529 428ac3 23 API calls 41530 40f6c6 65 API calls 41427 42c0c8 43 API calls 6 library calls 41531 42c6c9 35 API calls _GetRangeOfTrysToCheck 41430 43acd6 12 API calls __wsopen_s 41534 4076d7 99 API calls 41431 449cdc CloseHandle 41432 4414da GetCommandLineA GetCommandLineW 41536 4086e3 76 API calls 41435 4444e3 39 API calls 3 library calls 41540 42c2ee GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 41437 4124ef 118 API calls 41542 4032ee 82 API calls 41440 4084f3 130 API calls 41544 438af0 49 API calls 2 library calls 41545 40fef5 31 API calls 41231 43fcfe 41236 43facc 41231->41236 41233 43fd14 41234 43fd26 41233->41234 41246 44907f 41233->41246 41239 43faf7 41236->41239 41237 434256 _free 20 API calls 41238 43fc49 __cftoe 41237->41238 41238->41233 41239->41239 41242 43fc40 41239->41242 41249 438517 43 API calls 2 library calls 41239->41249 41241 43fc8a 41241->41242 41250 438517 43 API calls 2 library calls 41241->41250 41242->41237 41242->41238 41244 43fca9 41244->41242 41251 438517 43 API calls 2 library calls 41244->41251 41252 448a54 41246->41252 41248 44909a 41248->41234 41249->41241 41250->41244 41251->41242 41253 448a60 ___DestructExceptionObject 41252->41253 41254 448a6e 41253->41254 41256 448aa7 41253->41256 41255 434256 _free 20 API calls 41254->41255 41259 448a73 ___DestructExceptionObject __cftoe 41255->41259 41261 44902e 41256->41261 41259->41248 41269 44a01d 41261->41269 41263 449044 41264 448acb 41263->41264 41289 44909f 41263->41289 41268 448af4 LeaveCriticalSection __wsopen_s 41264->41268 41267 43bea5 _free 20 API calls 41267->41264 41268->41259 41270 44a040 41269->41270 41271 44a029 41269->41271 41273 44a05f 41270->41273 41274 44a048 41270->41274 41272 434256 _free 20 API calls 41271->41272 41277 44a02e __cftoe 41272->41277 41336 43d092 10 API calls 2 library calls 41273->41336 41275 434256 _free 20 API calls 41274->41275 41275->41277 41277->41263 41278 44a066 MultiByteToWideChar 41279 44a095 41278->41279 41280 44a085 GetLastError 41278->41280 41282 43b5c6 ___crtLCMapStringA 21 API calls 41279->41282 41337 434220 20 API calls 2 library calls 41280->41337 41283 44a09d 41282->41283 41284 44a0c5 41283->41284 41285 44a0a4 MultiByteToWideChar 41283->41285 41287 43bea5 _free 20 API calls 41284->41287 41285->41284 41286 44a0b9 GetLastError 41285->41286 41338 434220 20 API calls 2 library calls 41286->41338 41287->41277 41339 448e02 41289->41339 41292 4490d1 41367 434243 20 API calls __dosmaperr 41292->41367 41293 4490ea 41353 4424c5 41293->41353 41296 4490ef 41297 44910f 41296->41297 41298 4490f8 41296->41298 41366 448d6d CreateFileW 41297->41366 41368 434243 20 API calls __dosmaperr 41298->41368 41300 434256 _free 20 API calls 41305 44906c 41300->41305 41302 4490fd 41306 434256 _free 20 API calls 41302->41306 41303 4491c5 GetFileType 41309 449217 41303->41309 41310 4491d0 GetLastError 41303->41310 41304 449148 41304->41303 41308 44919a GetLastError 41304->41308 41369 448d6d CreateFileW 41304->41369 41305->41267 41307 4490d6 41306->41307 41307->41300 41370 434220 20 API calls 2 library calls 41308->41370 41372 44240e 21 API calls 3 library calls 41309->41372 41371 434220 20 API calls 2 library calls 41310->41371 41314 4491de CloseHandle 41314->41307 41315 449207 41314->41315 41318 434256 _free 20 API calls 41315->41318 41317 44918d 41317->41303 41317->41308 41320 44920c 41318->41320 41319 449238 41321 449284 41319->41321 41373 448f7e 69 API calls 3 library calls 41319->41373 41320->41307 41325 4492b1 41321->41325 41374 448b20 72 API calls 3 library calls 41321->41374 41324 4492aa 41324->41325 41326 4492c2 41324->41326 41375 43e620 23 API calls 2 library calls 41325->41375 41326->41305 41328 449340 CloseHandle 41326->41328 41376 448d6d CreateFileW 41328->41376 41330 44936b 41331 449375 GetLastError 41330->41331 41335 4492ba 41330->41335 41377 434220 20 API calls 2 library calls 41331->41377 41333 449381 41378 4425d7 21 API calls 3 library calls 41333->41378 41335->41305 41336->41278 41337->41277 41338->41284 41340 448e23 41339->41340 41343 448e32 __cftoe 41339->41343 41342 434256 _free 20 API calls 41340->41342 41340->41343 41342->41343 41379 448d92 41343->41379 41344 448e75 41346 434256 _free 20 API calls 41344->41346 41348 448e99 __cftoe 41344->41348 41346->41348 41347 448ef2 41349 448f71 41347->41349 41351 448ef7 41347->41351 41348->41351 41384 439951 20 API calls 2 library calls 41348->41384 41385 4322e3 11 API calls _abort 41349->41385 41351->41292 41351->41293 41352 448f7d 41354 4424d1 ___DestructExceptionObject 41353->41354 41386 43ad17 EnterCriticalSection 41354->41386 41356 44251f 41387 4425ce 41356->41387 41357 4424d8 41357->41356 41358 4424fd 41357->41358 41363 44256b EnterCriticalSection 41357->41363 41390 4422a4 21 API calls 3 library calls 41358->41390 41361 442548 ___DestructExceptionObject 41361->41296 41362 442502 41362->41356 41391 4423eb EnterCriticalSection 41362->41391 41363->41356 41364 442578 LeaveCriticalSection 41363->41364 41364->41357 41366->41304 41367->41307 41368->41302 41369->41317 41370->41307 41371->41314 41372->41319 41373->41321 41374->41324 41375->41335 41376->41330 41377->41333 41378->41335 41381 448daa 41379->41381 41380 448dc5 41380->41344 41381->41380 41382 434256 _free 20 API calls 41381->41382 41383 448de9 __cftoe 41382->41383 41383->41344 41384->41347 41385->41352 41386->41357 41392 43ad5f LeaveCriticalSection 41387->41392 41389 4425d5 41389->41361 41390->41362 41391->41356 41392->41389 41549 40fe8b 125 API calls 41550 433e93 68 API calls _free 41552 444293 41 API calls 3 library calls 41449 40f4a7 290 API calls ctype 41554 42c2ab 20 API calls 41451 4494b4 48 API calls 41452 42f8b2 45 API calls 41453 40f8b2 169 API calls 41454 44c4b7 98 API calls 41455 4010b6 23 API calls pre_c_initialization 41456 42d4bb DecodePointer 41557 43dabf 25 API calls 2 library calls 41457 4408b9 27 API calls 4 library calls 41558 42c2bf 28 API calls 2 library calls 41459 411542 GdipFree GdipDisposeImage __except_handler4 41561 409f48 28 API calls 41460 41ed4a WSAGetLastError recv 41461 40ad4d 31 API calls 41563 40cb52 FreeLibrary 41463 44395c 41 API calls 4 library calls 41565 40f75c 47 API calls 41464 413567 117 API calls 41465 402967 11 API calls 41567 43d76b 60 API calls 2 library calls 41568 40ff69 136 API calls 41570 42d76e 41 API calls 41571 40ab70 62 API calls 41467 42c174 21 API calls pre_c_initialization 41574 40f6ee 87 API calls 41575 40ab02 77 API calls 41576 401305 GetProcAddress 41577 405f0b FindClose 41579 43c70d 22 API calls __dosmaperr 41474 40a111 21 API calls std::bad_exception::bad_exception 41581 43db15 21 API calls 41476 441d1d GetProcessHeap 41477 40511a 201 API calls ___scrt_get_show_window_mode 41583 439719 8 API calls ___vcrt_uninitialize 41585 40ab1e 63 API calls 41587 409b24 43 API calls __Tolower 41591 40cb33 LoadLibraryA 41479 402939 22 API calls 41592 42bf38 DeleteCriticalSection CloseHandle 41593 40e33b 47 API calls 41482 4291c6 22 API calls 41597 4013d2 24 API calls pre_c_initialization 41483 4129d2 110 API calls 41599 4427d0 42 API calls 3 library calls 41484 40f9dd 67 API calls 41600 445be4 IsProcessorFeaturePresent 41486 4029e3 12 API calls __CxxThrowException@8 41601 40bfe4 36 API calls 41602 42a7e7 44 API calls 41487 43b1e5 50 API calls 5 library calls 41488 438de9 57 API calls 41605 40c3ec 77 API calls 41606 40f7ec 29 API calls 41489 42cdf7 4 API calls 2 library calls 41490 4415fd 56 API calls 6 library calls 41492 4091fb 45 API calls 41611 40f781 45 API calls 40016 42c186 40017 42c192 ___DestructExceptionObject 40016->40017 40043 42bc59 40017->40043 40019 42c199 40021 42c1c2 40019->40021 40205 42c52b IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 40019->40205 40022 42c201 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 40021->40022 40206 43990c 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 40021->40206 40027 42c261 40022->40027 40208 438aa2 35 API calls 6 library calls 40022->40208 40024 42c1db 40025 42c1e1 ___DestructExceptionObject 40024->40025 40207 4398b0 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 40024->40207 40054 42c646 40027->40054 40036 42c283 40037 42c28d 40036->40037 40210 438ada 28 API calls _abort 40036->40210 40039 42c296 40037->40039 40211 438a7d 28 API calls _abort 40037->40211 40212 42bdd0 13 API calls 2 library calls 40039->40212 40042 42c29e 40042->40025 40044 42bc62 40043->40044 40213 42c37b IsProcessorFeaturePresent 40044->40213 40046 42bc6e 40214 42e723 10 API calls 4 library calls 40046->40214 40048 42bc73 40053 42bc77 40048->40053 40215 439799 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 40048->40215 40050 42bc80 40051 42bc8e 40050->40051 40216 42e74c 8 API calls 3 library calls 40050->40216 40051->40019 40053->40019 40217 42ec50 40054->40217 40057 42c267 40058 43985d 40057->40058 40219 441229 40058->40219 40060 439866 40061 42c270 40060->40061 40223 43bf38 35 API calls 40060->40223 40063 40a1d6 40061->40063 40225 414ea2 LoadLibraryA GetProcAddress 40063->40225 40065 40a1f2 GetModuleFileNameW 40230 40a60c 40065->40230 40067 40a20e 40245 4021e0 40067->40245 40070 4021e0 28 API calls 40071 40a22c 40070->40071 40251 414339 40071->40251 40075 40a23e 40277 4034fa 40075->40277 40078 40a2a7 40283 4034cf 40078->40283 40080 40a2b5 40082 4034cf 22 API calls 40080->40082 40081 40a25d 40525 40aa8b 116 API calls 40081->40525 40084 40a2c3 40082->40084 40288 402a91 40084->40288 40085 40a26f 40087 4034cf 22 API calls 40085->40087 40089 40a27b 40087->40089 40526 40be14 36 API calls 2 library calls 40089->40526 40095 40a28d 40527 40aa3c 77 API calls 40095->40527 40099 40a296 40528 40a5f9 70 API calls 40099->40528 40100 402091 11 API calls 40102 40a2fc 40100->40102 40104 4034cf 22 API calls 40102->40104 40103 40a29f 40106 402091 11 API calls 40103->40106 40105 40a305 40104->40105 40312 402077 40105->40312 40108 40a334 40106->40108 40209 42c679 GetModuleHandleW 40108->40209 40109 40a310 40316 4087ef 40109->40316 40111 40a324 40111->40103 40112 40a33f 40111->40112 40319 41395b 40112->40319 40114 40a34f 40115 4034cf 22 API calls 40114->40115 40116 40a368 40115->40116 40336 4141da 40116->40336 40118 40a373 40340 4064d4 40118->40340 40123 4034cf 22 API calls 40124 40a390 40123->40124 40125 4034cf 22 API calls 40124->40125 40126 40a399 40125->40126 40127 4034cf 22 API calls 40126->40127 40128 40a3a2 40127->40128 40129 4034cf 22 API calls 40128->40129 40130 40a3ab 40129->40130 40131 40a41e 40130->40131 40132 4034cf 22 API calls 40130->40132 40133 4034cf 22 API calls 40131->40133 40136 40a3c0 40132->40136 40134 40a429 40133->40134 40352 402178 40134->40352 40136->40131 40136->40136 40138 4034cf 22 API calls 40136->40138 40137 40a43b 40358 40d202 RegCreateKeyA 40137->40358 40139 40a3e4 40138->40139 40143 4034cf 22 API calls 40139->40143 40142 4034cf 22 API calls 40144 40a45d 40142->40144 40145 40a3f6 40143->40145 40364 433426 40144->40364 40529 40900f 32 API calls 40145->40529 40149 40a409 40150 4064d4 28 API calls 40149->40150 40154 40a415 40150->40154 40151 40a495 40153 402178 28 API calls 40151->40153 40156 40a4a4 40153->40156 40157 4034ff 11 API calls 40154->40157 40158 402178 28 API calls 40156->40158 40157->40131 40159 40a4b4 40158->40159 40377 413b81 40159->40377 40164 4064d4 28 API calls 40165 40a4d0 40164->40165 40166 4034ff 11 API calls 40165->40166 40167 40a4d9 40166->40167 40168 40a4e2 SetProcessDEPPolicy 40167->40168 40169 40a4e5 CreateThread 40167->40169 40168->40169 40170 40a4fa 40169->40170 41180 40a6c0 40169->41180 40171 402178 28 API calls 40170->40171 40172 40a540 40170->40172 40173 40a514 40171->40173 40417 40cf8c RegOpenKeyExA 40172->40417 40412 402a6d 40173->40412 40178 40a5ee 40428 4092fd 40178->40428 40179 402178 28 API calls 40181 40a52f 40179->40181 40180 4141da 28 API calls 40183 40a56d 40180->40183 40184 413b81 79 API calls 40181->40184 40420 40d0a8 RegOpenKeyExW 40183->40420 40187 40a534 40184->40187 40189 402091 11 API calls 40187->40189 40188 40a5f8 40189->40172 40192 4034ff 11 API calls 40195 40a589 40192->40195 40193 40a5b1 DeleteFileW 40194 40a5b8 40193->40194 40193->40195 40197 4141da 28 API calls 40194->40197 40195->40193 40195->40194 40196 40a59f Sleep 40195->40196 40198 404c42 40196->40198 40199 40a5c8 40197->40199 40198->40193 40425 40d444 RegOpenKeyExW 40199->40425 40202 4034ff 11 API calls 40203 40a5e5 40202->40203 40204 4034ff 11 API calls 40203->40204 40204->40178 40205->40019 40206->40024 40207->40022 40208->40027 40209->40036 40210->40037 40211->40039 40212->40042 40213->40046 40214->40048 40215->40050 40216->40053 40218 42c659 GetStartupInfoW 40217->40218 40218->40057 40220 44123b 40219->40220 40221 441232 40219->40221 40220->40060 40224 441128 48 API calls 4 library calls 40221->40224 40223->40060 40224->40220 40226 414ee3 LoadLibraryA GetProcAddress 40225->40226 40227 414ecf GetModuleHandleA GetProcAddress 40225->40227 40228 414efb LoadLibraryA GetProcAddress 40226->40228 40229 414f0f 44 API calls 40226->40229 40227->40226 40228->40229 40229->40065 40530 413b3a FindResourceA 40230->40530 40234 40a639 ctype 40540 40219f 40234->40540 40237 40209b 28 API calls 40238 40a65e 40237->40238 40239 402091 11 API calls 40238->40239 40240 40a666 40239->40240 40241 432316 _Yarn 21 API calls 40240->40241 40242 40a679 ctype 40241->40242 40546 404964 40242->40546 40244 40a6b0 40244->40067 40246 4021f6 40245->40246 40247 402261 11 API calls 40246->40247 40248 402210 40247->40248 40249 402405 28 API calls 40248->40249 40250 40221e 40249->40250 40250->40070 40624 4021c9 40251->40624 40253 41434c 40254 4143bc 40253->40254 40258 4143be 40253->40258 40264 40209b 28 API calls 40253->40264 40269 402091 11 API calls 40253->40269 40628 402006 28 API calls 40253->40628 40629 415194 28 API calls 40253->40629 40255 402091 11 API calls 40254->40255 40256 4143ee 40255->40256 40257 402091 11 API calls 40256->40257 40259 4143f6 40257->40259 40630 402006 28 API calls 40258->40630 40262 402091 11 API calls 40259->40262 40265 40a235 40262->40265 40263 4143ca 40266 40209b 28 API calls 40263->40266 40264->40253 40273 40a9e5 40265->40273 40267 4143d3 40266->40267 40268 402091 11 API calls 40267->40268 40270 4143db 40268->40270 40269->40253 40631 415194 28 API calls 40270->40631 40274 40a9f3 40273->40274 40276 40a9fa 40273->40276 40632 40353b 11 API calls 40274->40632 40276->40075 40279 40353b 40277->40279 40278 403577 40278->40078 40278->40081 40279->40278 40633 4036b8 11 API calls 40279->40633 40281 40355c 40634 4036a1 11 API calls std::_Deallocate 40281->40634 40284 4034da 40283->40284 40285 4034e1 40284->40285 40635 403530 22 API calls 40284->40635 40285->40080 40289 4021c9 11 API calls 40288->40289 40290 402aa0 40289->40290 40636 402ba1 40290->40636 40292 402abb 40640 40206e 40292->40640 40295 404804 40654 40203c 40295->40654 40297 404814 40658 40210e 40297->40658 40300 40209b 40301 4020f2 40300->40301 40302 4020aa 40300->40302 40309 402091 40301->40309 40303 402261 11 API calls 40302->40303 40304 4020b3 40303->40304 40305 4020f5 40304->40305 40306 4020ce 40304->40306 40307 4025a1 11 API calls 40305->40307 40680 402aef 28 API calls 40306->40680 40307->40301 40310 402261 11 API calls 40309->40310 40311 40209a 40310->40311 40311->40100 40313 402082 40312->40313 40314 40208a 40312->40314 40681 40247c 28 API calls 40313->40681 40314->40109 40682 402028 40316->40682 40318 4087f9 CreateMutexA GetLastError 40318->40111 40684 414407 40319->40684 40324 40209b 28 API calls 40325 413997 40324->40325 40326 402091 11 API calls 40325->40326 40327 41399f 40326->40327 40328 40d033 31 API calls 40327->40328 40331 4139f2 40327->40331 40329 4139c5 40328->40329 40330 4139d0 StrToIntA 40329->40330 40332 4139e7 40330->40332 40333 4139de 40330->40333 40331->40114 40335 402091 11 API calls 40332->40335 40693 4152dc 22 API calls 40333->40693 40335->40331 40337 4141f3 40336->40337 40694 41528b 40337->40694 40339 4141fb 40339->40118 40341 4064e3 40340->40341 40342 40652b 40340->40342 40343 4035a8 11 API calls 40341->40343 40349 4034ff 40342->40349 40344 4064ec 40343->40344 40345 40652e 40344->40345 40347 406507 40344->40347 40727 406821 40345->40727 40726 406cb1 28 API calls 40347->40726 40350 4035a8 11 API calls 40349->40350 40351 403508 40350->40351 40351->40123 40353 402183 40352->40353 40354 402261 11 API calls 40353->40354 40355 40218e 40354->40355 40731 402387 40355->40731 40359 40d252 40358->40359 40360 40d21b 40358->40360 40361 402091 11 API calls 40359->40361 40363 40d22d RegSetValueExA RegCloseKey 40360->40363 40362 40a451 40361->40362 40362->40142 40363->40359 40365 43343f swprintf 40364->40365 40735 43262e 40365->40735 40367 40a46a 40367->40151 40368 4150dd AllocConsole GetConsoleWindow 40367->40368 40369 415105 40368->40369 40370 4150fc ShowWindow 40368->40370 40770 4377e9 40369->40770 40370->40369 40374 415131 ___scrt_get_show_window_mode 40776 413936 40374->40776 40378 413c32 40377->40378 40379 413b97 GetLocalTime 40377->40379 40380 402091 11 API calls 40378->40380 40381 402a91 28 API calls 40379->40381 40383 413c3a 40380->40383 40382 413bd9 40381->40382 40384 404804 28 API calls 40382->40384 40385 402091 11 API calls 40383->40385 40386 413be5 40384->40386 40387 40a4b9 40385->40387 40910 404779 40386->40910 40401 413c9f GetComputerNameExW GetUserNameW 40387->40401 40390 404804 28 API calls 40391 413bfd 40390->40391 40392 413936 76 API calls 40391->40392 40393 413c0b 40392->40393 40394 402091 11 API calls 40393->40394 40395 413c17 40394->40395 40396 402091 11 API calls 40395->40396 40397 413c20 40396->40397 40398 402091 11 API calls 40397->40398 40399 413c29 40398->40399 40400 402091 11 API calls 40399->40400 40400->40378 40918 403509 40401->40918 40408 4034ff 11 API calls 40409 413d0d 40408->40409 40410 4034ff 11 API calls 40409->40410 40411 40a4c5 40410->40411 40411->40164 40988 402c69 40412->40988 40414 402a7d 40415 40210e 11 API calls 40414->40415 40416 402a8c 40415->40416 40416->40179 40418 40cfad RegQueryValueExA RegCloseKey 40417->40418 40419 40a558 40417->40419 40418->40419 40419->40178 40419->40180 40421 40d107 40420->40421 40422 40d0d8 RegQueryValueExW RegCloseKey 40420->40422 40423 403509 28 API calls 40421->40423 40422->40421 40424 40a57e 40423->40424 40424->40192 40426 40d460 RegDeleteValueW 40425->40426 40427 40a5db 40425->40427 40426->40427 40427->40202 40429 409316 40428->40429 40430 40cf8c 3 API calls 40429->40430 40431 40931d 40430->40431 40435 40933c 40431->40435 41007 4087e7 40431->41007 40433 40932a 41010 40d310 RegCreateKeyA 40433->41010 40436 40e92f 40435->40436 40437 4021c9 11 API calls 40436->40437 40438 40e943 40437->40438 41023 413e52 40438->41023 40441 4021c9 11 API calls 40442 40e959 40441->40442 40443 4034cf 22 API calls 40442->40443 40444 40e967 40443->40444 40445 433426 39 API calls 40444->40445 40446 40e974 40445->40446 40447 40e986 40446->40447 40448 40e979 Sleep 40446->40448 40449 402178 28 API calls 40447->40449 40448->40447 40450 40e995 40449->40450 40451 4034cf 22 API calls 40450->40451 40452 40e99e 40451->40452 40453 4021e0 28 API calls 40452->40453 40454 40e9a9 40453->40454 40455 414339 28 API calls 40454->40455 40456 40e9b1 40455->40456 41027 4016e4 WSAStartup 40456->41027 40458 40e9bb 40459 4034cf 22 API calls 40458->40459 40460 40e9c4 40459->40460 40461 4034cf 22 API calls 40460->40461 40486 40ea43 40460->40486 40462 40e9dd 40461->40462 40463 4034cf 22 API calls 40462->40463 40464 40e9ee 40463->40464 40466 4034cf 22 API calls 40464->40466 40465 414339 28 API calls 40465->40486 40467 40e9ff 40466->40467 40468 4034cf 22 API calls 40467->40468 40470 40ea10 40468->40470 40472 4034cf 22 API calls 40470->40472 40471 40209b 28 API calls 40471->40486 40473 40ea21 40472->40473 40474 4034cf 22 API calls 40473->40474 40475 40ea33 40474->40475 41137 401585 88 API calls 40475->41137 40477 402178 28 API calls 40477->40486 40478 413b81 79 API calls 40478->40486 40480 40eb91 WSAGetLastError 41138 414e33 30 API calls 40480->41138 40483 402a6d 28 API calls 40483->40486 40486->40465 40486->40471 40486->40477 40486->40478 40486->40480 40486->40483 40488 402a91 28 API calls 40486->40488 40489 4034fa 11 API calls 40486->40489 40490 404779 28 API calls 40486->40490 40491 433426 39 API calls 40486->40491 40493 404804 28 API calls 40486->40493 40494 402091 11 API calls 40486->40494 40497 403509 28 API calls 40486->40497 40499 4034cf 22 API calls 40486->40499 40500 4021e0 28 API calls 40486->40500 40502 40d033 31 API calls 40486->40502 40524 40edcd 40486->40524 41028 406ba2 40486->41028 41035 40e8ee 40486->41035 41041 401673 40486->41041 41048 401d6f 40486->41048 41063 40170e connect 40486->41063 41123 401c4f WaitForSingleObject 40486->41123 41139 413d81 GlobalMemoryStatusEx 40486->41139 41140 40dfc6 50 API calls 40486->41140 41141 437a48 20 API calls 40486->41141 41142 40d18b RegOpenKeyExA RegQueryValueExA RegCloseKey 40486->41142 40488->40486 40489->40486 40490->40486 40492 40f48c Sleep 40491->40492 40492->40486 40493->40486 40494->40486 40497->40486 40499->40486 40500->40486 40502->40486 40503 403509 28 API calls 40503->40524 40506 4034cf 22 API calls 40507 40ee4e GetTickCount 40506->40507 41145 41410a 28 API calls 40507->41145 40510 41410a 28 API calls 40510->40524 40512 41429c 28 API calls 40512->40524 40515 406ae8 28 API calls 40515->40524 40516 404779 28 API calls 40516->40524 40517 404804 28 API calls 40517->40524 40519 402091 11 API calls 40519->40524 40520 4034ff 11 API calls 40520->40524 40522 402178 28 API calls 40522->40524 40523 413b81 79 API calls 40523->40524 40524->40486 40524->40503 40524->40506 40524->40510 40524->40512 40524->40515 40524->40516 40524->40517 40524->40519 40524->40520 40524->40522 40524->40523 41143 409344 6 API calls 40524->41143 41144 4141be 28 API calls 40524->41144 41146 414062 GetLastInputInfo GetTickCount 40524->41146 41147 414012 30 API calls ___scrt_get_show_window_mode 40524->41147 41148 40a7d3 29 API calls 40524->41148 41149 4047c1 28 API calls 40524->41149 41150 4018e7 60 API calls 40524->41150 41151 401a3c 112 API calls _Yarn 40524->41151 40525->40085 40526->40095 40527->40099 40529->40149 40531 413b57 LoadResource LockResource SizeofResource 40530->40531 40532 40a627 40530->40532 40531->40532 40533 432316 40532->40533 40539 43b5c6 ___crtLCMapStringA 40533->40539 40534 43b604 40550 434256 40534->40550 40535 43b5ef RtlAllocateHeap 40537 43b602 40535->40537 40535->40539 40537->40234 40539->40534 40539->40535 40549 43867f 7 API calls 2 library calls 40539->40549 40541 4021aa 40540->40541 40554 402261 40541->40554 40543 4021b5 40558 4023a6 40543->40558 40545 4021c2 40545->40237 40547 40219f 28 API calls 40546->40547 40548 404978 40547->40548 40548->40244 40549->40539 40553 43c688 20 API calls 3 library calls 40550->40553 40552 43425b 40552->40537 40553->40552 40555 4022bb 40554->40555 40556 40226e 40554->40556 40555->40543 40556->40555 40565 402698 11 API calls std::_Deallocate 40556->40565 40559 4023b6 40558->40559 40560 4023d1 40559->40560 40561 4023bc 40559->40561 40576 402723 40560->40576 40566 402405 40561->40566 40564 4023cf 40564->40545 40565->40555 40587 4026bf 40566->40587 40568 402419 40569 402443 40568->40569 40570 40242e 40568->40570 40572 402723 28 API calls 40569->40572 40592 402879 22 API calls 40570->40592 40575 402441 40572->40575 40573 402437 40593 402818 22 API calls 40573->40593 40575->40564 40577 40272f 40576->40577 40578 402790 40577->40578 40579 402738 40577->40579 40601 4026de 22 API calls 40578->40601 40582 402741 40579->40582 40583 402754 40579->40583 40595 4028ba 40582->40595 40585 402752 40583->40585 40586 402261 11 API calls 40583->40586 40585->40564 40586->40585 40588 4026ca 40587->40588 40589 4026d1 40588->40589 40594 4028af 22 API calls 40588->40594 40589->40568 40592->40573 40593->40575 40596 4028c4 __EH_prolog 40595->40596 40602 402a3e 40596->40602 40598 402261 11 API calls 40600 40299e 40598->40600 40599 402930 40599->40598 40600->40585 40603 402a53 40602->40603 40606 401494 40603->40606 40605 402a62 40605->40599 40607 4014a2 40606->40607 40608 40149e 40606->40608 40609 4014de 40607->40609 40611 4014cc 40607->40611 40608->40605 40614 42bbad 40609->40614 40613 42bbad new 22 API calls 40611->40613 40612 4014d2 40612->40605 40613->40612 40616 42bbb2 40614->40616 40615 432316 _Yarn 21 API calls 40615->40616 40616->40615 40617 42bbde 40616->40617 40621 43867f 7 API calls 2 library calls 40616->40621 40622 42c35e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 40616->40622 40623 42cb7e RaiseException Concurrency::cancel_current_task __CxxThrowException@8 40616->40623 40617->40612 40621->40616 40625 4021d1 40624->40625 40626 402261 11 API calls 40625->40626 40627 4021dc 40626->40627 40627->40253 40628->40253 40629->40253 40630->40263 40631->40254 40632->40276 40633->40281 40634->40278 40638 402bae 40636->40638 40637 402bcc 40637->40292 40638->40637 40639 402723 28 API calls 40638->40639 40639->40637 40641 40205b 40640->40641 40644 40251a 40641->40644 40643 40206a 40643->40295 40645 4026bf 22 API calls 40644->40645 40646 40252d 40645->40646 40647 402551 40646->40647 40648 402599 40646->40648 40651 402723 28 API calls 40647->40651 40652 402562 40647->40652 40653 4026de 22 API calls 40648->40653 40651->40652 40652->40643 40655 40204a 40654->40655 40664 40248f 40655->40664 40657 402056 40657->40297 40659 40211c 40658->40659 40660 402261 11 API calls 40659->40660 40661 402136 40660->40661 40676 4025a1 40661->40676 40665 40249f 40664->40665 40666 4024a5 40665->40666 40667 4024ba 40665->40667 40670 40251a 28 API calls 40666->40670 40668 4024d0 40667->40668 40669 402512 40667->40669 40672 402723 28 API calls 40668->40672 40674 4024b8 40668->40674 40675 4026de 22 API calls 40669->40675 40670->40674 40672->40674 40674->40657 40677 4025b3 40676->40677 40678 402261 11 API calls 40677->40678 40679 402147 40678->40679 40679->40300 40680->40301 40681->40314 40683 402255 40682->40683 40683->40318 40685 414414 GetCurrentProcess IsWow64Process 40684->40685 40686 413969 40684->40686 40685->40686 40687 41442b 40685->40687 40688 40d033 RegOpenKeyExA 40686->40688 40687->40686 40689 40d061 RegQueryValueExA RegCloseKey 40688->40689 40690 40d08b 40688->40690 40689->40690 40691 402178 28 API calls 40690->40691 40692 40d0a0 40691->40692 40692->40324 40693->40332 40695 415296 40694->40695 40700 4035a8 40695->40700 40697 4152a1 40704 4153e3 40697->40704 40699 4152ae 40699->40339 40701 403602 40700->40701 40702 4035b5 40700->40702 40701->40697 40702->40701 40711 4036df 11 API calls std::_Deallocate 40702->40711 40705 41541d 40704->40705 40706 4153ef 40704->40706 40723 4026de 22 API calls 40705->40723 40712 403723 40706->40712 40710 4153f9 40710->40699 40711->40701 40713 40372f 40712->40713 40714 403790 40713->40714 40715 403738 40713->40715 40725 4026de 22 API calls 40714->40725 40718 403741 40715->40718 40720 403754 40715->40720 40724 403856 28 API calls __EH_prolog 40718->40724 40721 403752 40720->40721 40722 4035a8 11 API calls 40720->40722 40721->40710 40722->40721 40724->40721 40726->40342 40728 406833 40727->40728 40729 4035a8 11 API calls 40728->40729 40730 4068b5 40729->40730 40730->40342 40732 402395 40731->40732 40733 4023a6 28 API calls 40732->40733 40734 402198 40733->40734 40734->40137 40751 4332b8 40735->40751 40737 43267b 40756 4331e1 40737->40756 40738 432640 40738->40737 40739 432655 40738->40739 40750 43265a __cftoe 40738->40750 40741 434256 _free 20 API calls 40739->40741 40741->40750 40743 432687 40744 4326b6 40743->40744 40764 4332fd 39 API calls __Toupper 40743->40764 40745 432722 40744->40745 40765 433264 20 API calls 2 library calls 40744->40765 40766 433264 20 API calls 2 library calls 40745->40766 40748 4327e9 swprintf 40749 434256 _free 20 API calls 40748->40749 40748->40750 40749->40750 40750->40367 40752 4332d0 40751->40752 40753 4332bd 40751->40753 40752->40738 40754 434256 _free 20 API calls 40753->40754 40755 4332c2 __cftoe 40754->40755 40755->40738 40757 4331fe 40756->40757 40758 4331f4 40756->40758 40757->40758 40767 43c604 35 API calls 4 library calls 40757->40767 40758->40743 40760 43321f 40768 43cb74 35 API calls __Getctype 40760->40768 40762 433238 40769 43cba1 35 API calls __cftoe 40762->40769 40764->40743 40765->40745 40766->40748 40767->40760 40768->40762 40769->40758 40780 4376d7 40770->40780 40772 41511e SetConsoleOutputCP 40773 41509a GetStdHandle GetConsoleScreenBufferInfo SetConsoleTextAttribute 40772->40773 40774 413936 76 API calls 40773->40774 40775 4150ce SetConsoleTextAttribute 40774->40775 40775->40374 40777 413944 40776->40777 40802 413918 40777->40802 40781 4376e3 ___DestructExceptionObject 40780->40781 40782 4376f1 40781->40782 40784 437723 40781->40784 40785 437712 40781->40785 40783 434256 _free 20 API calls 40782->40783 40792 4376f6 ___DestructExceptionObject __cftoe 40783->40792 40784->40782 40787 43773b 40784->40787 40786 434256 _free 20 API calls 40785->40786 40786->40792 40788 43774b 40787->40788 40789 43773f 40787->40789 40799 433f25 EnterCriticalSection 40788->40799 40790 434256 _free 20 API calls 40789->40790 40790->40792 40792->40772 40793 437756 40795 43776f 40793->40795 40800 433b87 62 API calls 2 library calls 40793->40800 40796 4377c5 40795->40796 40798 434256 _free 20 API calls 40795->40798 40801 4377df LeaveCriticalSection 40796->40801 40798->40796 40799->40793 40800->40795 40801->40792 40803 413927 ___scrt_initialize_default_local_stdio_options 40802->40803 40806 437555 40803->40806 40805 40a489 CreateThread 40805->40151 41174 415917 GetModuleFileNameA 40805->41174 40807 437585 40806->40807 40808 43759a 40806->40808 40809 434256 _free 20 API calls 40807->40809 40808->40807 40810 43759e 40808->40810 40812 43758a __cftoe 40809->40812 40813 43570f 40810->40813 40812->40805 40816 4356be 40813->40816 40815 435733 40815->40812 40817 4356ca ___DestructExceptionObject 40816->40817 40824 433f25 EnterCriticalSection 40817->40824 40819 4356d8 40825 435dee 40819->40825 40823 4356f6 ___DestructExceptionObject 40823->40815 40824->40819 40841 43ea83 40825->40841 40828 4331e1 __cftoe 35 API calls 40829 435e28 40828->40829 40850 435d7b 40829->40850 40833 435e68 40865 435db0 40833->40865 40839 4356e5 40840 435703 LeaveCriticalSection 40839->40840 40840->40823 40873 43d745 40841->40873 40843 43ea92 40878 447537 40843->40878 40845 435e11 40845->40828 40846 43ea98 40846->40845 40885 43b5c6 40846->40885 40851 435d9a swprintf 40850->40851 40852 434256 _free 20 API calls 40851->40852 40853 435da6 40852->40853 40854 436021 40853->40854 40898 4371a6 20 API calls 2 library calls 40854->40898 40856 436046 40857 434256 _free 20 API calls 40856->40857 40858 436035 __cftoe 40857->40858 40858->40833 40861 436031 swprintf 40861->40856 40861->40858 40899 4363be 20 API calls 2 library calls 40861->40899 40900 436c6a 39 API calls swprintf 40861->40900 40901 436512 39 API calls swprintf 40861->40901 40902 43653a 50 API calls 3 library calls 40861->40902 40903 43680c 50 API calls swprintf 40861->40903 40866 43bea5 _free 20 API calls 40865->40866 40867 435dc0 40866->40867 40868 43eb38 40867->40868 40869 43eb43 40868->40869 40870 435e97 40868->40870 40869->40870 40904 4339a0 40869->40904 40872 42c8db 5 API calls ___raise_securityfailure 40870->40872 40872->40839 40874 43d751 40873->40874 40875 43d766 40873->40875 40876 434256 _free 20 API calls 40874->40876 40875->40843 40877 43d756 __cftoe 40876->40877 40877->40843 40879 447544 40878->40879 40880 447551 40878->40880 40881 434256 _free 20 API calls 40879->40881 40882 44755d 40880->40882 40883 434256 _free 20 API calls 40880->40883 40884 447549 __cftoe 40881->40884 40882->40846 40883->40884 40884->40846 40886 43b604 40885->40886 40890 43b5d4 ___crtLCMapStringA 40885->40890 40888 434256 _free 20 API calls 40886->40888 40887 43b5ef RtlAllocateHeap 40889 43b602 40887->40889 40887->40890 40888->40889 40892 43bea5 40889->40892 40890->40886 40890->40887 40891 43867f new 7 API calls 40890->40891 40891->40890 40893 43beb0 HeapFree 40892->40893 40897 43bed9 _free 40892->40897 40894 43bec5 40893->40894 40893->40897 40895 434256 _free 18 API calls 40894->40895 40896 43becb GetLastError 40895->40896 40896->40897 40897->40845 40898->40861 40899->40861 40900->40861 40901->40861 40902->40861 40903->40861 40905 4339b4 40904->40905 40906 4339b8 40904->40906 40905->40870 40906->40905 40907 43d745 20 API calls 40906->40907 40908 4339d8 40907->40908 40909 43e200 __wsopen_s 59 API calls 40908->40909 40909->40905 40915 40205b 40910->40915 40912 404789 40913 40210e 11 API calls 40912->40913 40914 404798 40913->40914 40914->40390 40916 40251a 28 API calls 40915->40916 40917 40206a 40916->40917 40917->40912 40919 403514 40918->40919 40920 4035a8 11 API calls 40919->40920 40921 40351f 40920->40921 40934 403621 40921->40934 40924 409450 40946 4094b7 40924->40946 40926 409460 40950 406547 40926->40950 40929 407d1f 40971 4067ef 40929->40971 40931 407d2f 40932 406547 11 API calls 40931->40932 40933 407d3e 40932->40933 40933->40408 40935 40362f char_traits 40934->40935 40938 403640 40935->40938 40937 403529 40937->40924 40939 403650 40938->40939 40940 403656 40939->40940 40941 40366d 40939->40941 40945 4037c7 28 API calls 40940->40945 40942 403723 28 API calls 40941->40942 40944 40366b 40942->40944 40944->40937 40945->40944 40947 4094c5 char_traits 40946->40947 40956 4094d7 40947->40956 40949 4094d2 40949->40926 40951 406555 40950->40951 40952 4035a8 11 API calls 40951->40952 40953 40656f 40952->40953 40954 406821 11 API calls 40953->40954 40955 406580 40954->40955 40955->40929 40957 4094e7 40956->40957 40958 409505 40957->40958 40959 4094ed 40957->40959 40960 4026bf 22 API calls 40958->40960 40969 406f79 28 API calls 40959->40969 40961 40950d 40960->40961 40963 409581 40961->40963 40964 409524 40961->40964 40970 4026de 22 API calls 40963->40970 40966 403723 28 API calls 40964->40966 40968 409503 40964->40968 40966->40968 40968->40949 40969->40968 40972 4067fd char_traits 40971->40972 40975 406962 40972->40975 40974 406809 40974->40931 40976 406972 40975->40976 40977 406978 40976->40977 40978 40698f 40976->40978 40986 4069f2 28 API calls 40977->40986 40980 4069a5 40978->40980 40981 4069ea 40978->40981 40983 403723 28 API calls 40980->40983 40985 40698d 40980->40985 40987 4026de 22 API calls 40981->40987 40983->40985 40985->40974 40986->40985 40989 402c77 40988->40989 40992 402dd6 40989->40992 40991 402c84 40991->40414 40993 402de6 40992->40993 40994 402e02 40993->40994 40995 402dec 40993->40995 40996 4026bf 22 API calls 40994->40996 41005 4030b6 28 API calls 40995->41005 40997 402e0a 40996->40997 40999 402e21 40997->40999 41000 402e7d 40997->41000 41002 402723 28 API calls 40999->41002 41004 402e00 40999->41004 41006 4026de 22 API calls 41000->41006 41002->41004 41004->40991 41005->41004 41013 433831 41007->41013 41011 40d352 41010->41011 41012 40d328 RegSetValueExA RegCloseKey 41010->41012 41011->40435 41012->41011 41016 4337b2 41013->41016 41015 4087ed 41015->40433 41017 4337c1 41016->41017 41018 4337d5 41016->41018 41019 434256 _free 20 API calls 41017->41019 41021 4337c6 __alldvrm __cftoe 41018->41021 41022 43d386 11 API calls 2 library calls 41018->41022 41019->41021 41021->41015 41022->41021 41026 413e9c ___scrt_get_show_window_mode 41023->41026 41024 402178 28 API calls 41025 40e94e 41024->41025 41025->40441 41026->41024 41027->40458 41029 4021c9 11 API calls 41028->41029 41030 406bb1 41029->41030 41031 402ba1 28 API calls 41030->41031 41032 406bcd 41031->41032 41033 40206e 28 API calls 41032->41033 41034 406bd5 41033->41034 41034->40486 41036 40e907 WSASetLastError 41035->41036 41037 40e8fd 41035->41037 41036->40486 41152 40e783 29 API calls ___std_exception_copy 41037->41152 41039 40e902 41039->41036 41042 40168c socket 41041->41042 41043 40167f 41041->41043 41045 4016a6 CreateEventW 41042->41045 41046 401688 41042->41046 41153 4016e4 WSAStartup 41043->41153 41045->40486 41046->40486 41047 401684 41047->41042 41047->41046 41049 401d83 41048->41049 41050 401e08 41048->41050 41051 401d8c 41049->41051 41052 401dde CreateEventA CreateThread 41049->41052 41053 401d9b GetLocalTime 41049->41053 41050->40486 41051->41052 41052->41050 41155 401f6e 41052->41155 41154 41410a 28 API calls 41053->41154 41055 401daf 41056 402a6d 28 API calls 41055->41056 41057 401dbf 41056->41057 41058 402178 28 API calls 41057->41058 41059 401dce 41058->41059 41060 413b81 79 API calls 41059->41060 41061 401dd3 41060->41061 41062 402091 11 API calls 41061->41062 41062->41052 41064 401861 41063->41064 41065 401734 41063->41065 41066 4017c4 41064->41066 41067 401867 WSAGetLastError 41064->41067 41065->41066 41070 402a91 28 API calls 41065->41070 41090 401769 41065->41090 41066->40486 41067->41066 41068 401877 41067->41068 41071 401778 41068->41071 41072 40187c 41068->41072 41074 401755 41070->41074 41077 402178 28 API calls 41071->41077 41170 414e33 30 API calls 41072->41170 41073 401771 41073->41071 41076 401787 41073->41076 41078 402178 28 API calls 41074->41078 41087 401796 41076->41087 41088 4017cd 41076->41088 41080 4018c6 41077->41080 41081 401764 41078->41081 41079 401886 41082 402a6d 28 API calls 41079->41082 41084 402178 28 API calls 41080->41084 41085 413b81 79 API calls 41081->41085 41083 401896 41082->41083 41086 402178 28 API calls 41083->41086 41089 4018d5 41084->41089 41085->41090 41091 4018a5 41086->41091 41093 402178 28 API calls 41087->41093 41167 419dbe 53 API calls 41088->41167 41094 413b81 79 API calls 41089->41094 41159 4190ba 27 API calls 41090->41159 41095 413b81 79 API calls 41091->41095 41097 4017a5 41093->41097 41094->41066 41098 4018aa 41095->41098 41096 4017d5 41099 40180a 41096->41099 41100 4017da 41096->41100 41101 402178 28 API calls 41097->41101 41102 402091 11 API calls 41098->41102 41169 419255 28 API calls 41099->41169 41103 402178 28 API calls 41100->41103 41104 4017b4 41101->41104 41102->41066 41106 4017e9 41103->41106 41107 413b81 79 API calls 41104->41107 41110 402178 28 API calls 41106->41110 41111 4017b9 41107->41111 41108 401812 41109 40183f CreateEventW CreateEventW 41108->41109 41112 402178 28 API calls 41108->41112 41109->41066 41113 4017f8 41110->41113 41160 419100 41111->41160 41114 401828 41112->41114 41115 413b81 79 API calls 41113->41115 41117 402178 28 API calls 41114->41117 41118 4017fd 41115->41118 41119 401837 41117->41119 41168 419507 51 API calls 41118->41168 41121 413b81 79 API calls 41119->41121 41122 40183c 41121->41122 41122->41109 41124 401c65 SetEvent CloseHandle 41123->41124 41125 401c7c closesocket 41123->41125 41126 401d05 41124->41126 41127 401c89 41125->41127 41126->40486 41128 401c98 41127->41128 41129 401c9f 41127->41129 41173 401eff 83 API calls 41128->41173 41131 401cb1 WaitForSingleObject 41129->41131 41132 401cfb SetEvent CloseHandle 41129->41132 41133 419100 3 API calls 41131->41133 41132->41126 41134 401cc4 SetEvent WaitForSingleObject 41133->41134 41135 419100 3 API calls 41134->41135 41136 401ce0 SetEvent FindCloseChangeNotification FindCloseChangeNotification 41135->41136 41136->41132 41137->40486 41138->40486 41139->40486 41140->40486 41141->40486 41142->40486 41143->40524 41144->40524 41145->40524 41146->40524 41147->40524 41148->40524 41149->40524 41150->40524 41151->40524 41152->41039 41153->41047 41154->41055 41158 401f7f 101 API calls 41155->41158 41157 401f7a 41158->41157 41159->41073 41161 416be2 41160->41161 41162 419108 41160->41162 41163 416bf0 41161->41163 41171 415d1b DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41161->41171 41162->41066 41172 416912 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 41163->41172 41166 416bf7 41167->41096 41168->41111 41169->41108 41170->41079 41171->41163 41172->41166 41173->41129 41205 4159c9 41174->41205 41177 4159b3 GetMessageA 41178 4159c4 41177->41178 41179 41599f TranslateMessage DispatchMessageA 41177->41179 41179->41177 41182 40a6db 41180->41182 41183 40a776 41182->41183 41185 40a766 Sleep 41182->41185 41202 40a70d 41182->41202 41211 40cfd6 RegOpenKeyExA 41182->41211 41186 403509 28 API calls 41183->41186 41184 403509 28 API calls 41184->41202 41185->41182 41189 40a781 41186->41189 41188 4141da 28 API calls 41188->41202 41190 4141da 28 API calls 41189->41190 41191 40a78d 41190->41191 41216 40d2a7 14 API calls 41191->41216 41194 4034ff 11 API calls 41194->41202 41195 40a79b 41196 4034ff 11 API calls 41195->41196 41198 40a7a7 41196->41198 41197 402178 28 API calls 41197->41202 41199 402178 28 API calls 41198->41199 41200 40a7b4 41199->41200 41203 40d202 14 API calls 41200->41203 41201 40d202 14 API calls 41201->41202 41202->41184 41202->41185 41202->41188 41202->41194 41202->41197 41202->41201 41214 408817 54 API calls ___scrt_get_show_window_mode 41202->41214 41215 40d2a7 14 API calls 41202->41215 41204 40a7c7 ExitProcess 41203->41204 41206 42ec50 ___scrt_get_show_window_mode 41205->41206 41207 4159e0 RegisterClassExA 41206->41207 41208 41593b ExtractIconA lstrcpynA Shell_NotifyIconA 41207->41208 41209 415a20 CreateWindowExA 41207->41209 41208->41177 41209->41208 41210 415a3a GetLastError 41209->41210 41210->41208 41212 40d000 RegQueryValueExA RegCloseKey 41211->41212 41213 40d02d 41211->41213 41212->41213 41213->41182 41215->41202 41216->41195 41494 40b584 70 API calls std::_Fac_tidy_reg_t::~_Fac_tidy_reg_t 41613 403f90 86 API calls 41615 423b9c 28 API calls 41497 40d9a0 80 API calls 41617 40afa2 23 API calls 41618 40f7a6 45 API calls 41498 4115a9 GdipAlloc GdipCloneImage 41620 4323a8 49 API calls 5 library calls 41622 42e7b0 6 API calls 3 library calls 41624 40f7b4 65 API calls 41503 433dbb 21 API calls 3 library calls 41504 41edbb WSAGetLastError send 41505 40e5bb 55 API calls 2 library calls 41506 4109bf 49 API calls 41626 40abbe 67 API calls fpos

                  Executed Functions

                  Function 00414EA2 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 164libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414EB5
                  • GetProcAddress.KERNEL32(00000000), ref: 00414EBE
                  • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414ED9
                  • GetProcAddress.KERNEL32(00000000), ref: 00414EDC
                  • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414EED
                  • GetProcAddress.KERNEL32(00000000), ref: 00414EF0
                  • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F05
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F08
                  • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F19
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F1C
                  • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F28
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F2B
                  • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F3C
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F3F
                  • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F50
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F53
                  • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414F64
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F67
                  • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414F78
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F7B
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414F8C
                  • GetProcAddress.KERNEL32(00000000), ref: 00414F8F
                  • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FA0
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FA3
                  • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FB4
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FB7
                  • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00414FC8
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FCB
                  • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00414FD9
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FDC
                  • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,0040A1F2), ref: 00414FED
                  • GetProcAddress.KERNEL32(00000000), ref: 00414FF0
                  • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,0040A1F2), ref: 00415001
                  • GetProcAddress.KERNEL32(00000000), ref: 00415004
                  • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,0040A1F2), ref: 00415015
                  • GetProcAddress.KERNEL32(00000000), ref: 00415018
                  • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,0040A1F2), ref: 00415029
                  • GetProcAddress.KERNEL32(00000000), ref: 0041502C
                  • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,0040A1F2), ref: 0041503D
                  • GetProcAddress.KERNEL32(00000000), ref: 00415040
                  • GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,0040A1F2), ref: 00415051
                  • GetProcAddress.KERNEL32(00000000), ref: 00415054
                  • GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,0040A1F2), ref: 00415060
                  • GetProcAddress.KERNEL32(00000000), ref: 00415063
                  • LoadLibraryA.KERNELBASE(Rstrtmgr,RmStartSession,?,?,?,0040A1F2), ref: 00415070
                  • GetProcAddress.KERNEL32(00000000), ref: 00415073
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmRegisterResources,?,?,?,0040A1F2), ref: 0041507B
                  • GetProcAddress.KERNEL32(00000000), ref: 0041507E
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmGetList,?,?,?,0040A1F2), ref: 00415086
                  • GetProcAddress.KERNEL32(00000000), ref: 00415089
                  • LoadLibraryA.KERNEL32(Rstrtmgr,RmEndSession,?,?,?,0040A1F2), ref: 00415091
                  • GetProcAddress.KERNEL32(00000000), ref: 00415094
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad$HandleModule
                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                  • API String ID: 4236061018-3687161714
                  • Opcode ID: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
                  • Instruction ID: 89b8a1ca175abfd996f71f5c8e59976d1c4d63ecb14037e58508742e74396472
                  • Opcode Fuzzy Hash: 42f43bac1a948978ef40ac34bead5871a9a47ad840c4e162dcb489b325ed74a5
                  • Instruction Fuzzy Hash: 7F41ABA0E9435876DA107BF25C4EE1F2D5CD965B9A3214937B804931A3E9FC850CCEAF
                  Function 0040A1D6 Relevance: 37.1, APIs: 6, Strings: 15, Instructions: 328threadsleepfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 473 40a1d6-40a24d call 414ea2 GetModuleFileNameW call 40a60c call 4021e0 * 2 call 414339 call 40a9e5 call 4034fa 488 40a2a7-40a326 call 4034cf * 2 call 402a91 call 404804 call 40209b call 402091 * 2 call 4034cf call 402077 call 403f1f call 4087ef 473->488 489 40a24f-40a253 473->489 529 40a328-40a32a 488->529 530 40a33f-40a346 488->530 489->488 491 40a255-40a25b 489->491 491->488 493 40a25d-40a2a2 call 40aa8b call 4034cf call 402028 call 40be14 call 40aa3c call 40a5f9 491->493 518 40a32b-40a33c call 402091 493->518 529->518 531 40a348 530->531 532 40a34a-40a356 call 41395b 530->532 531->532 535 40a358-40a35a 532->535 536 40a35f-40a3b5 call 4034cf call 4141da call 4064d4 call 4034ff call 4034cf * 4 call 402028 532->536 535->536 556 40a3b7-40a3c7 call 4034cf call 402028 536->556 557 40a41e-40a478 call 4034cf call 402028 call 402178 call 402028 call 40d202 call 4034cf call 402028 call 433426 536->557 567 40a3ca-40a3d3 556->567 591 40a47a-40a47c 557->591 592 40a47e-40a480 557->592 567->567 569 40a3d5-40a3d9 567->569 569->557 571 40a3db-40a419 call 4034cf call 402028 call 4034cf call 402028 call 40900f call 4064d4 call 4034ff 569->571 571->557 594 40a484-40a493 call 4150dd CreateThread 591->594 595 40a482 592->595 596 40a495-40a4e0 call 402178 * 2 call 413b81 call 413c9f call 4064d4 call 4034ff 592->596 594->596 595->594 613 40a4e2-40a4e3 SetProcessDEPPolicy 596->613 614 40a4e5-40a4f8 CreateThread 596->614 613->614 615 40a506 614->615 616 40a4fa-40a4fd 614->616 619 40a50b-40a52f call 402178 call 402a6d call 402178 call 413b81 615->619 617 40a540-40a55b call 402028 call 40cf8c 616->617 618 40a4ff-40a504 616->618 628 40a561-40a598 call 4141da call 404c42 call 40d0a8 call 4034ff call 404c42 617->628 629 40a5ee-40a5f8 call 4092fd call 40e92f 617->629 618->619 639 40a534-40a53b call 402091 619->639 649 40a5b1-40a5b6 DeleteFileW 628->649 639->617 650 40a5b8-40a5e9 call 4141da call 404c42 call 40d444 call 4034ff * 2 649->650 651 40a59a-40a59d 649->651 650->629 651->650 652 40a59f-40a5ac Sleep call 404c42 651->652 652->649
                  APIs
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414EB5
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414EBE
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,0040A1F2), ref: 00414ED9
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414EDC
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414EED
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414EF0
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,0040A1F2), ref: 00414F05
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F08
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,0040A1F2), ref: 00414F19
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F1C
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,0040A1F2), ref: 00414F28
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F2B
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,0040A1F2), ref: 00414F3C
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F3F
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,0040A1F2), ref: 00414F50
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F53
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,0040A1F2), ref: 00414F64
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F67
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,0040A1F2), ref: 00414F78
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F7B
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,0040A1F2), ref: 00414F8C
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414F8F
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,0040A1F2), ref: 00414FA0
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FA3
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,0040A1F2), ref: 00414FB4
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FB7
                    • Part of subcall function 00414EA2: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,0040A1F2), ref: 00414FC8
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FCB
                    • Part of subcall function 00414EA2: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,0040A1F2), ref: 00414FD9
                    • Part of subcall function 00414EA2: GetProcAddress.KERNEL32(00000000), ref: 00414FDC
                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SXQdCnmxiH.exe,00000104), ref: 0040A1FF
                  • CreateThread.KERNELBASE(00000000,00000000,Function_00015917,00000000,00000000,00000000), ref: 0040A493
                  • SetProcessDEPPolicy.KERNEL32(00000000,00000000), ref: 0040A4E3
                  • CreateThread.KERNELBASE(00000000,00000000,Function_0000A6C0,00000000,00000000,00000000), ref: 0040A4EF
                  • DeleteFileW.KERNEL32(00000000), ref: 0040A5B2
                    • Part of subcall function 0040BE14: __EH_prolog.LIBCMT ref: 0040BE19
                  • Sleep.KERNEL32(0000000A), ref: 0040A5A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Module$Handle$LibraryLoad$CreateFileThread$DeleteH_prologNamePolicyProcessSleep
                  • String ID: Access Level: $Administrator$C:\Users\user\Desktop\SXQdCnmxiH.exe$Exe$Exe$Remcos Agent initialized$Rmc-WSY52E$Software\$User$\~F$\~F$del$del$licence$license_code.txt
                  • API String ID: 4062606258-121113440
                  • Opcode ID: 4e28712fc4b9a8b12147ce51a2f9e7833082a9e1baf3a5730e747a5afa57dc82
                  • Instruction ID: d7fcdb205b9e3cc44b5ec7ae23bc972780870e849d8e3733c4f0c5e7c005d7b2
                  • Opcode Fuzzy Hash: 4e28712fc4b9a8b12147ce51a2f9e7833082a9e1baf3a5730e747a5afa57dc82
                  • Instruction Fuzzy Hash: EBA1A13071430067C619BB768D5BA6E36599BC1709F10493FF6467B2C2EEBC9E09835E
                  Function 0040A6C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0040CFD6: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
                    • Part of subcall function 0040CFD6: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
                    • Part of subcall function 0040CFD6: RegCloseKey.KERNELBASE(?), ref: 0040D01F
                  • Sleep.KERNELBASE(00000BB8), ref: 0040A76B
                  • ExitProcess.KERNEL32 ref: 0040A7CC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExitOpenProcessQuerySleepValue
                  • String ID: 5.0.0 Light$C:\Users\user\Desktop\SXQdCnmxiH.exe$override
                  • API String ID: 2281282204-4118072177
                  • Opcode ID: de87c53a580f659174bf1bd3754530e609291f3eed815c1919bcd4fa9d9cacbf
                  • Instruction ID: 323f05c9e6b9e9d97ce39f937589ef5f1850760f89f461d1ab376a1f97973b78
                  • Opcode Fuzzy Hash: de87c53a580f659174bf1bd3754530e609291f3eed815c1919bcd4fa9d9cacbf
                  • Instruction Fuzzy Hash: F921AE61F1420067C608BA7A4D4B92E3A699B91719F40853EB901772CBEE7DCE09839F
                  Function 00413B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: | $%02i:%02i:%02i:%03i
                  • API String ID: 481472006-2430845779
                  • Opcode ID: 09fd29e6324a39776a9cc881dc958e0b34cd3948b3a678230b07d70f5a36afbd
                  • Instruction ID: 14a7f7623e9b81fd152da17a30c3428a16553f718532ff7384b8b6c53ca4bb68
                  • Opcode Fuzzy Hash: 09fd29e6324a39776a9cc881dc958e0b34cd3948b3a678230b07d70f5a36afbd
                  • Instruction Fuzzy Hash: 901181725083455BC304FB71D9558ABB3E8AB44305F10093FFA8A920D1FF7CDA88C65A
                  Function 00413C9F Relevance: 3.0, APIs: 2, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • GetComputerNameExW.KERNELBASE(00000001,?,0040A4C5,75920F10), ref: 00413CBC
                  • GetUserNameW.ADVAPI32(?,?), ref: 00413CD4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Name$ComputerUser
                  • String ID:
                  • API String ID: 4229901323-0
                  • Opcode ID: 144f51ac76a5c22de7d265f40f6e653c0b9b1ffb8aa66d763078f3a739eb3950
                  • Instruction ID: 9575080185fc9b94c1c02c15cbbfd2da0248f6688d841492f30f465e1445ce69
                  • Opcode Fuzzy Hash: 144f51ac76a5c22de7d265f40f6e653c0b9b1ffb8aa66d763078f3a739eb3950
                  • Instruction Fuzzy Hash: 0701FF7590011CABCB05EFD4DC45EDEBB7CAF44309F10017AB505B7191EEB46B898B99
                  Function 0040E92F Relevance: 46.3, APIs: 4, Strings: 22, Instructions: 789sleepnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 5 40e92f-40e977 call 4021c9 call 413e52 call 4021c9 call 4034cf call 402028 call 433426 18 40e986-40e9d2 call 402178 call 4034cf call 4021e0 call 414339 call 4016e4 call 4034cf call 410fbd 5->18 19 40e979-40e980 Sleep 5->19 34 40e9d4-40ea43 call 4034cf call 402020 call 4034cf call 402028 call 4034cf call 402020 call 4034cf call 402028 call 4034cf call 402020 call 4034cf call 402028 call 401585 18->34 35 40ea46-40eae1 call 402178 call 4034cf call 4021e0 call 414339 call 4034cf * 2 call 406ba2 call 404779 call 40209b call 402091 * 2 call 4034cf call 403f83 18->35 19->18 34->35 88 40eaf1-40eaf8 35->88 89 40eae3-40eaef 35->89 90 40eafd-40eb8f call 403f1f call 402a91 call 404804 call 404779 call 402178 call 413b81 call 402091 * 2 call 4034cf call 402028 call 4034cf call 402028 call 40e8ee 88->90 89->90 117 40eb91-40ebd5 WSAGetLastError call 414e33 call 402a6d call 402178 call 413b81 call 402091 90->117 118 40ebda-40ebe8 call 401673 90->118 139 40f460-40f472 call 401c4f call 403583 117->139 123 40ec15-40ec23 call 401d6f call 40170e 118->123 124 40ebea-40ec10 call 402178 * 2 call 413b81 118->124 135 40ec28-40ec2a 123->135 124->139 135->139 140 40ec30-40ed8d call 4034cf * 2 call 402a91 call 404804 call 404779 call 404804 call 404779 call 402178 call 413b81 call 402091 * 4 call 413d81 call 40dfc6 call 403509 * 2 call 437a48 call 4034cf call 4021e0 call 402020 call 402028 * 2 call 40d18b 135->140 153 40f474-40f494 call 4034cf call 402028 call 433426 Sleep 139->153 154 40f49a-40f4a2 call 4034fa 139->154 207 40eda1-40edcb call 402028 call 40d033 140->207 208 40ed8f-40ed9c call 403f1f 140->208 153->154 154->35 214 40edd2-40f45b call 403509 call 409344 call 4141be call 41429c call 41410a call 4034cf GetTickCount call 41410a call 414062 call 41410a call 414012 call 41429c * 5 call 40a7d3 call 41429c call 4047c1 call 406ae8 call 404779 call 406ae8 call 404779 * 3 call 406ae8 call 404779 call 404804 call 404779 call 404804 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 404804 call 404779 call 406ae8 call 404779 call 406ae8 call 404779 call 404804 call 404779 * 5 call 406ae8 call 404779 call 406ae8 call 404779 * 7 call 406ae8 call 4018e7 call 402091 * 50 call 4034ff call 402091 * 5 call 4034ff call 401a3c call 403ee2 call 402178 * 2 call 413b81 call 402091 * 2 call 4034ff * 2 207->214 215 40edcd-40edcf 207->215 208->207 214->139 215->214
                  APIs
                  • Sleep.KERNEL32(00000000,00000029,00000000,75920F10,00467F30), ref: 0040E980
                  • WSAGetLastError.WS2_32(00000000,00000001), ref: 0040EB91
                  • Sleep.KERNELBASE(00000000,00000002), ref: 0040F494
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep$ErrorLastLocalTime
                  • String ID: | $%I64u$0-Z$127.0.0.1:2404$5.0.0 Light$C:\Users\user\Desktop\SXQdCnmxiH.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-WSY52E$TLS Off$TLS On $X|F$X|F$\~F$\~F$\~F$hlight$name
                  • API String ID: 524882891-3424888299
                  • Opcode ID: dbed92866c2d51782df0cb33f21d54113799a0477e5918af70d27b9cb65007ac
                  • Instruction ID: c344de4cf0f4a9d4dde5e52d9ce8f823ee96830f3a34fd75b43bb55ba94f9b89
                  • Opcode Fuzzy Hash: dbed92866c2d51782df0cb33f21d54113799a0477e5918af70d27b9cb65007ac
                  • Instruction Fuzzy Hash: F7527D71A002145ACB19F732DD66AEE73759F90308F5041BFB60A771D2EE781F88CA59
                  Function 00415A49 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 663 415a49-415a54 664 415b25-415b3a CreatePopupMenu AppendMenuA 663->664 665 415a5a-415a5f 663->665 666 415b40 664->666 667 415a65-415a6a 665->667 668 415b0a-415b0e 665->668 670 415b42-415b45 666->670 671 415a77-415a7f 667->671 672 415a6c-415a75 667->672 668->666 669 415b10-415b1f Shell_NotifyIconA ExitProcess 668->669 674 415a81-415a84 671->674 675 415ace-415adc IsWindowVisible 671->675 673 415a91-415a9a DefWindowProcA 672->673 673->670 676 415a86-415a8c 674->676 677 415a9f-415acc GetCursorPos SetForegroundWindow TrackPopupMenu 674->677 678 415aee-415b08 ShowWindow SetForegroundWindow 675->678 679 415ade-415aec ShowWindow 675->679 676->673 677->666 678->666 679->666
                  APIs
                  • DefWindowProcA.USER32(?,00000401,?,?), ref: 00415A94
                  • GetCursorPos.USER32(?), ref: 00415AA3
                  • SetForegroundWindow.USER32(?), ref: 00415AAC
                  • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00415AC6
                  • Shell_NotifyIconA.SHELL32(00000002,00467A48), ref: 00415B17
                  • ExitProcess.KERNEL32 ref: 00415B1F
                  • CreatePopupMenu.USER32 ref: 00415B25
                  • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 00415B3A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                  • String ID: Close
                  • API String ID: 1657328048-3535843008
                  • Opcode ID: 3e504e962ea3c35dd946fc843adab0da61294b5598716700d26172f26c4c26bb
                  • Instruction ID: b4011587fd3e9a16695e9b898f8ea1d0863b7beb583a21c878b8c8866c2b476e
                  • Opcode Fuzzy Hash: 3e504e962ea3c35dd946fc843adab0da61294b5598716700d26172f26c4c26bb
                  • Instruction Fuzzy Hash: 8F216935548209EFDB198FA4ED0EAEA3F75EB45301F000179FA06944B0D7B6A960EB1E
                  Function 0040170E Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • connect.WS2_32(?,?,?), ref: 00401726
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00401846
                  • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00401854
                  • WSAGetLastError.WS2_32 ref: 00401867
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent$ErrorLastLocalTimeconnect
                  • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                  • API String ID: 994465650-2151626615
                  • Opcode ID: aafa84b234a9725ed83c6705888f4c042918f5a93ba48a3ad5cf2dd38e6a19be
                  • Instruction ID: fc3b47e22b7b9638642ab3b7b6a1439c02ffcef2ea28323752025821876101bf
                  • Opcode Fuzzy Hash: aafa84b234a9725ed83c6705888f4c042918f5a93ba48a3ad5cf2dd38e6a19be
                  • Instruction Fuzzy Hash: 82410531B44201B7C7047BBA891F96D7A26AB82309B40416FEC02276D3EA7DAD1587DF
                  Function 00401C4F Relevance: 18.1, APIs: 12, Instructions: 60synchronizationCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C59
                  • SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C68
                  • CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C71
                  • closesocket.WS2_32(000000FF), ref: 00401C7F
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401CB6
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CCB
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00401CD2
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CE7
                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CEC
                  • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00401FE3), ref: 00401CF1
                  • SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401CFE
                  • CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401D03
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEvent$ObjectSingleWait$ChangeFindHandleNotification$closesocket
                  • String ID:
                  • API String ID: 4074944092-0
                  • Opcode ID: 37cb6d8543e1ee3bb7506ce3e1e55bed7cfd695e0106200a3cd08fc041010aa5
                  • Instruction ID: d4f806c8475b95b6aa7d0dc6c7be9a9421d063fd5854718ccf9566762f00af95
                  • Opcode Fuzzy Hash: 37cb6d8543e1ee3bb7506ce3e1e55bed7cfd695e0106200a3cd08fc041010aa5
                  • Instruction Fuzzy Hash: 84213831544B01AFDB316F21DC49B1ABBA2FF41326F104A2DE0E621AF0CB75E851EB58
                  Function 0044909F Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 772 44909f-4490cf call 448e02 775 4490d1-4490dc call 434243 772->775 776 4490ea-4490f6 call 4424c5 772->776 781 4490de-4490e5 call 434256 775->781 782 44910f-449158 call 448d6d 776->782 783 4490f8-44910d call 434243 call 434256 776->783 792 4493c1-4493c7 781->792 790 4491c5-4491ce GetFileType 782->790 791 44915a-449163 782->791 783->781 797 449217-44921a 790->797 798 4491d0-449201 GetLastError call 434220 CloseHandle 790->798 795 449165-449169 791->795 796 44919a-4491c0 GetLastError call 434220 791->796 795->796 801 44916b-449198 call 448d6d 795->801 796->781 799 449223-449229 797->799 800 44921c-449221 797->800 798->781 809 449207-449212 call 434256 798->809 804 44922d-44927b call 44240e 799->804 805 44922b 799->805 800->804 801->790 801->796 815 44927d-449289 call 448f7e 804->815 816 44928b-4492af call 448b20 804->816 805->804 809->781 815->816 823 4492b3-4492bd call 43e620 815->823 821 4492b1 816->821 822 4492c2-449305 816->822 821->823 825 449326-449334 822->825 826 449307-44930b 822->826 823->792 829 4493bf 825->829 830 44933a-44933e 825->830 826->825 828 44930d-449321 826->828 828->825 829->792 830->829 831 449340-449373 CloseHandle call 448d6d 830->831 834 449375-4493a1 GetLastError call 434220 call 4425d7 831->834 835 4493a7-4493bb 831->835 834->835 835->829
                  APIs
                    • Part of subcall function 00448D6D: CreateFileW.KERNELBASE(00000000,00000000,?,00449148,?,?,00000000,?,00449148,00000000,0000000C), ref: 00448D8A
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 004491B3
                  • __dosmaperr.LIBCMT ref: 004491BA
                  • GetFileType.KERNELBASE(00000000), ref: 004491C6
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 004491D0
                  • __dosmaperr.LIBCMT ref: 004491D9
                  • CloseHandle.KERNEL32(00000000), ref: 004491F9
                  • CloseHandle.KERNEL32(00000000), ref: 00449343
                  • GetLastError.KERNEL32 ref: 00449375
                  • __dosmaperr.LIBCMT ref: 0044937C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                  • String ID: H
                  • API String ID: 4237864984-2852464175
                  • Opcode ID: c2af7d1b06a1212851ce2ec52a34d9d553b4302fcc393fb9b801bedd13947016
                  • Instruction ID: f258471b3737db3756390c2c9d99530eb108cfb44089f59e238bbd3746a2798e
                  • Opcode Fuzzy Hash: c2af7d1b06a1212851ce2ec52a34d9d553b4302fcc393fb9b801bedd13947016
                  • Instruction Fuzzy Hash: A5A13632A041049FEF19DF68D8517AF7BA0AB0A324F14019EF811EB3D1DB799D12DB59
                  Function 00415917 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 48windowstringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00415930
                    • Part of subcall function 004159C9: RegisterClassExA.USER32(00000030), ref: 00415A15
                    • Part of subcall function 004159C9: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A30
                    • Part of subcall function 004159C9: GetLastError.KERNEL32 ref: 00415A3A
                  • ExtractIconA.SHELL32(00000000,?,00000000), ref: 00415967
                  • lstrcpynA.KERNEL32(Remcos,Remcos,00000080), ref: 00415981
                  • Shell_NotifyIconA.SHELL32(00000000,00467A48), ref: 00415997
                  • TranslateMessage.USER32(?), ref: 004159A3
                  • DispatchMessageA.USER32(?), ref: 004159AD
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004159BA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                  • String ID: Remcos$Remcos
                  • API String ID: 1970332568-1427383021
                  • Opcode ID: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
                  • Instruction ID: faf1edc93a5aedac402756c21b5fb189501910e188ddad8ff583182de876f53a
                  • Opcode Fuzzy Hash: 6840af3b0f868fa075757d5fdcec3e3c970199560f76d4881f8831560035f363
                  • Instruction Fuzzy Hash: 250121B1944249EBD7109FE1ED4CEDF7BBCEB86B09F00003AF90592560EBB855458B5A
                  Function 004150DD Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 846 4150dd-4150fa AllocConsole GetConsoleWindow 847 415105-415144 call 433e83 call 4377e9 SetConsoleOutputCP call 41509a call 42ec50 846->847 848 4150fc-4150ff ShowWindow 846->848 857 415145-41514b 847->857 848->847 857->857 858 41514d-41515a 857->858 859 41515b-415161 858->859 859->859 860 415163-41516e 859->860 861 41516f-415175 860->861 861->861 862 415177-415193 call 413936 861->862
                  APIs
                  • AllocConsole.KERNELBASE(00467E5C), ref: 004150E6
                  • GetConsoleWindow.KERNELBASE ref: 004150EC
                  • ShowWindow.USER32(00000000,00000000), ref: 004150FF
                  • SetConsoleOutputCP.KERNELBASE(000004E4,?,?,?,00000000,75920F10), ref: 00415126
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$Window$AllocOutputShow
                  • String ID: Remcos v$5.0.0 Light$CONOUT$
                  • API String ID: 4067487056-3540875885
                  • Opcode ID: 8206578266f691274023d2364adc21632410c65c9ed2f139aec597bbfef102c3
                  • Instruction ID: ff137b9c6d7fa4733ae12c39c28e9430870264f94df7af7c76d777de9f2de76d
                  • Opcode Fuzzy Hash: 8206578266f691274023d2364adc21632410c65c9ed2f139aec597bbfef102c3
                  • Instruction Fuzzy Hash: 50113D71D047007ACA11EF656C06FCBB799AF92B11F100163FC4C7F152D6E62D4A46AD
                  Function 0041395B Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00414407: GetCurrentProcess.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 00414418
                    • Part of subcall function 00414407: IsWow64Process.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 0041441F
                    • Part of subcall function 0040D033: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 0040D057
                    • Part of subcall function 0040D033: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 0040D074
                    • Part of subcall function 0040D033: RegCloseKey.KERNELBASE(?), ref: 0040D07F
                  • StrToIntA.SHLWAPI(00000000,0045F27C,?,00000000,00000000,?,00467E5C,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 004139D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseCurrentOpenQueryValueWow64
                  • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                  • API String ID: 782494840-2070987746
                  • Opcode ID: 75af28c961aad9f1d3d509f2c99c4ce64697369743e7063e3802c9358b5805d7
                  • Instruction ID: a37e34f24d51fcc0472262b49e2239fb508ed080f0187e6fdbdb8c85dbe76677
                  • Opcode Fuzzy Hash: 75af28c961aad9f1d3d509f2c99c4ce64697369743e7063e3802c9358b5805d7
                  • Instruction Fuzzy Hash: E41129B1A402001AC600F7A5DC4BAAF7B588B44309F54017FF949B31D3EABD1D8E82AF
                  Function 004159C9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 937 4159c9-415a1e call 42ec50 RegisterClassExA 940 415a40 937->940 941 415a20-415a38 CreateWindowExA 937->941 942 415a42-415a48 940->942 941->942 943 415a3a GetLastError 941->943 943->940
                  APIs
                  • RegisterClassExA.USER32(00000030), ref: 00415A15
                  • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 00415A30
                  • GetLastError.KERNEL32 ref: 00415A3A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ClassCreateErrorLastRegisterWindow
                  • String ID: 0$MsgWindowClass
                  • API String ID: 2877667751-2410386613
                  • Opcode ID: c1f476043400c0f605409f013886e3c137927802b614bce84191cc775cb47f54
                  • Instruction ID: 8f9955ca044bdc5388bad4111c72a4c8b74e298af81136cfcbc1a21a375cadec
                  • Opcode Fuzzy Hash: c1f476043400c0f605409f013886e3c137927802b614bce84191cc775cb47f54
                  • Instruction Fuzzy Hash: 5F0129B5D00218ABDB00DFD6DCC59EFBBBCFE45395F40053AF814A6240E77459088AA4
                  Function 0041509A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,00415131,?,?,?,00000000,75920F10), ref: 004150A4
                  • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,?,?,?,?,?,?,00415131,?,?,?,00000000,75920F10), ref: 004150B1
                  • SetConsoleTextAttribute.KERNELBASE(00000000,0000000C,?,?,?,?,?,?,00415131,?,?,?,00000000,75920F10), ref: 004150BE
                  • SetConsoleTextAttribute.KERNELBASE(00000000,?,?,?,?,?,?,?,00415131,?,?,?,00000000,75920F10), ref: 004150D1
                  Strings
                  • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 004150C4
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Console$AttributeText$BufferHandleInfoScreen
                  • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                  • API String ID: 3024135584-2418719853
                  • Opcode ID: cada3afb149ddae7817ec8520d72f52702fcff0883308cdb62645d729372a309
                  • Instruction ID: dbcdd4267bcad36c6c0ca05fe9f05fc7c46b0a701221cc06fd98f176dd3da12b
                  • Opcode Fuzzy Hash: cada3afb149ddae7817ec8520d72f52702fcff0883308cdb62645d729372a309
                  • Instruction Fuzzy Hash: A0E048B690424477D6102BB5AD4FC6F7B6CE74EA13B100626FE1191193D974540546B5
                  Function 00401D6F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58timethreadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 947 401d6f-401d7d 948 401d83-401d8a 947->948 949 401e08 947->949 950 401d92-401d99 948->950 951 401d8c-401d90 948->951 952 401e0a-401e0f 949->952 953 401dde-401e06 CreateEventA CreateThread 950->953 954 401d9b-401dd9 GetLocalTime call 41410a call 402a6d call 402178 call 413b81 call 402091 950->954 951->953 953->952 954->953
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00401D9F
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00401DEB
                  • CreateThread.KERNELBASE(00000000,00000000,Function_00001F6E,?,00000000,00000000), ref: 00401DFE
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00401DB2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$EventLocalThreadTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 2532271599-1507639952
                  • Opcode ID: d936ff517e867ec1494161e1539627597aa1b070665b7b3dd5d23c9b6f5a24f2
                  • Instruction ID: f267d0380031b3e41edc16eb56d039e36effbc4ed9ce718ade574247f38354b6
                  • Opcode Fuzzy Hash: d936ff517e867ec1494161e1539627597aa1b070665b7b3dd5d23c9b6f5a24f2
                  • Instruction Fuzzy Hash: FF11E3319042847BCB20A77B8C0DEAB7FA89BD2714F04056FF841522A2D6B89485C7B6
                  Function 0040D202 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 964 40d202-40d219 RegCreateKeyA 965 40d252 964->965 966 40d21b-40d250 call 402020 call 402028 RegSetValueExA RegCloseKey 964->966 968 40d254-40d262 call 402091 965->968 966->968
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
                  • RegSetValueExA.KERNELBASE(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D239
                  • RegCloseKey.KERNELBASE(?,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D244
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: 5.0.0 Light
                  • API String ID: 1818849710-1658188269
                  • Opcode ID: 4c11011ed91615ed449d557f2cb5f0cac9017d8dffc854813b342cad1c47c25c
                  • Instruction ID: 6ed167473aa60a37b0250efa5a9f8e70a21de1b3c74ed894fe2200c7977eaecf
                  • Opcode Fuzzy Hash: 4c11011ed91615ed449d557f2cb5f0cac9017d8dffc854813b342cad1c47c25c
                  • Instruction Fuzzy Hash: 6EF0F632900108FBCB00AFA0DC05EEE776CEF05304F10817ABE09A7090D6359E08DA58
                  Function 0040CF8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,time,?,?,0040931D,time), ref: 0040CFA3
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040931D,time), ref: 0040CFB7
                  • RegCloseKey.ADVAPI32(?,?,?,0040931D,time), ref: 0040CFC2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: time
                  • API String ID: 3677997916-1872009285
                  • Opcode ID: 3d9336ecc6ccbbaa375e86689aeaf5a7b0e7d31921b6354898293be20d548a3b
                  • Instruction ID: bd5a3b1d52e5f37f2b350d5c8a40c3be414df84fcb0957fc7161f8c9d89f8660
                  • Opcode Fuzzy Hash: 3d9336ecc6ccbbaa375e86689aeaf5a7b0e7d31921b6354898293be20d548a3b
                  • Instruction Fuzzy Hash: 27E06D36901238FBDB208BA29C0DEEB7F6DEF077A4F014165BC08A3150D2314E10E6E5
                  Function 0043EA83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: $YF$(YF
                  • API String ID: 269201875-3076791214
                  • Opcode ID: ea953f86e87fe0253ed0921ec9b28478cf690536176f1fe1b8f882d2ba47c8a4
                  • Instruction ID: f43705692b5ae1b3fe1dc6f6d27c1338305569b831f6e2f488c6916a8aa93b75
                  • Opcode Fuzzy Hash: ea953f86e87fe0253ed0921ec9b28478cf690536176f1fe1b8f882d2ba47c8a4
                  • Instruction Fuzzy Hash: BD110A715063019FE721DF26D442B57B3E8EF18368F20141FE55A87381E779A5418798
                  Function 004087EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040A324,Exe,00000000,0000000E,00000000,004595AC,00000003,00000000), ref: 004087FE
                  • GetLastError.KERNEL32 ref: 00408804
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateErrorLastMutex
                  • String ID: Rmc-WSY52E
                  • API String ID: 1925916568-303213725
                  • Opcode ID: 314d4f172206a9eb5b92c906b09b60388ef4e13389a98520ee79ab65053193e3
                  • Instruction ID: 6baf249de0d3dc06267911a2b201103adb64cf56309d4e230eaecd3af38e6972
                  • Opcode Fuzzy Hash: 314d4f172206a9eb5b92c906b09b60388ef4e13389a98520ee79ab65053193e3
                  • Instruction Fuzzy Hash: BEC08C787A42005BE70923609D8EB2C2440FB4870BF10807AF207D40D0CBD48840852A
                  Function 0043E2EB Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8ac963da1c5267d9bb276a7009a837085d75c1bb0fb8f235009d8ebb18713e5
                  • Instruction ID: 5776729281b571a109ce8e27bcb5eee91fbd24d81232978965dd987dc401f917
                  • Opcode Fuzzy Hash: b8ac963da1c5267d9bb276a7009a837085d75c1bb0fb8f235009d8ebb18713e5
                  • Instruction Fuzzy Hash: 4B51C171E01209ABCB21DFA6C945FEF7BB4AF5D324F10205BF804A72D1D6789901CB69
                  Function 0040D033 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 0040D057
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 0040D074
                  • RegCloseKey.KERNELBASE(?), ref: 0040D07F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: fc6920a8ad1e36ab75ba227af96c60f38fc26d49b609ac94cf8df73750947554
                  • Instruction ID: 278ad9154f1ce76a350fae622b85d711f500ae10b988d90d42188caca0eb382b
                  • Opcode Fuzzy Hash: fc6920a8ad1e36ab75ba227af96c60f38fc26d49b609ac94cf8df73750947554
                  • Instruction Fuzzy Hash: 4A01A27AA00118BBCB209BA1DC08DDFBF7DDB45354F000166BF09B3240DA308E1A97A8
                  Function 0040CFD6 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 0040CFF6
                  • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00467F30), ref: 0040D014
                  • RegCloseKey.KERNELBASE(?), ref: 0040D01F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: e592611ac1df46e9894313f59dd51c70e2b68ec3ecfd636aaf19af281ba9a101
                  • Instruction ID: 33f623514ab255e65baa477c0dc56520edcd29db8e6df8999e1664f74b13a20f
                  • Opcode Fuzzy Hash: e592611ac1df46e9894313f59dd51c70e2b68ec3ecfd636aaf19af281ba9a101
                  • Instruction Fuzzy Hash: 0DF01776D00218BFDF109FE09C05FEEBBBCEB05714F1080A6FE08E6191E6315A159B98
                  Function 0040D310 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D31E
                  • RegSetValueExA.KERNELBASE(?,00000004,00000000,00000004,?,00000004,?,?,?,00408639,00459A08,00000001), ref: 0040D339
                  • RegCloseKey.KERNELBASE(?,?,?,?,00408639,00459A08,00000001), ref: 0040D344
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID:
                  • API String ID: 1818849710-0
                  • Opcode ID: 14be83db9b41c06429f60159f8658df105e68c100aba706b4cb45cffbce0389c
                  • Instruction ID: a9c042b41267e05b5fe6fbba70f346c59bdfd29fc0071325fc843d2e7531bfd3
                  • Opcode Fuzzy Hash: 14be83db9b41c06429f60159f8658df105e68c100aba706b4cb45cffbce0389c
                  • Instruction Fuzzy Hash: AEE06D76A00208FBDF109FE09C05FEA7B6CEF06B54F104165BF08A7190D2359E18D7A9
                  Function 004028BA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: H_prolog
                  • String ID: 5.0.0 Light
                  • API String ID: 3519838083-1658188269
                  • Opcode ID: fec3143edbccd31c3091bcec7273a84245e6bd5eb26d5f65487b3e3534025140
                  • Instruction ID: 079cae247f2c36820c9884641081dcb0072b2eb0e780b5d9fb90715d58c40466
                  • Opcode Fuzzy Hash: fec3143edbccd31c3091bcec7273a84245e6bd5eb26d5f65487b3e3534025140
                  • Instruction Fuzzy Hash: B021A271B002055BCB05BFA6869A67E77AAEB84314F10417FF809B73C1DBB85E029799
                  Function 0043DF06 Relevance: 3.1, APIs: 2, Instructions: 77fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,0043E442,0044A1A5,00000000,00000000,00000000,00000000,00000000), ref: 0043DFA1
                  • GetLastError.KERNEL32(?,0043E442,0044A1A5,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0043DFCA
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorFileLastWrite
                  • String ID:
                  • API String ID: 442123175-0
                  • Opcode ID: 2d19c153d1ad6744e2c64f980f6d24ae0948330a4cd427f2ce19eaa6da087db1
                  • Instruction ID: 935321d5817fc7e64479544e29b95db75ca753b5934b14ab3be4d1667a1a2d05
                  • Opcode Fuzzy Hash: 2d19c153d1ad6744e2c64f980f6d24ae0948330a4cd427f2ce19eaa6da087db1
                  • Instruction Fuzzy Hash: DF21A075A002199FCB24CF69D9C0BE9B3F9FB4C302F1044AAE547D3251D674AE85CB68
                  Function 00401673 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                  Download Yara Rule
                  APIs
                  • socket.WS2_32(?,00000001,00000006), ref: 00401698
                  • CreateEventW.KERNEL32(?,?,?,?,?,00000000,00000000,00000001,00000000,?,0040157C), ref: 004016D4
                    • Part of subcall function 004016E4: WSAStartup.WS2_32(00000202,00000000), ref: 004016F9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEventStartupsocket
                  • String ID:
                  • API String ID: 1953588214-0
                  • Opcode ID: 6f75bc97ffbe4c7096b232534de59367a28b93499fce99047ecfa8fc1d3cba5a
                  • Instruction ID: 7320db740e5de4a067090f785b63afbc9c5e7a6ae68042f9260cdd7fb55c6c09
                  • Opcode Fuzzy Hash: 6f75bc97ffbe4c7096b232534de59367a28b93499fce99047ecfa8fc1d3cba5a
                  • Instruction Fuzzy Hash: 75018471404B809FD7358F79B8856867FE0AB16304F084E6EF4D693BA1D3B1A841CF19
                  Function 00401494 Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ba876b942a128ae7585d30a8ed8241bb7ebe32929dbda7c97020cfc4ae0ca7d
                  • Instruction ID: 0b2bdfc656d1a8f1be9913624580b806ffdfaf88d76df6e948d8f045970f806e
                  • Opcode Fuzzy Hash: 5ba876b942a128ae7585d30a8ed8241bb7ebe32929dbda7c97020cfc4ae0ca7d
                  • Instruction Fuzzy Hash: 21F059317041481ACF0C8F359950E7A37458B40324F60473FF02AEA5F0DB3CE841824C
                  Function 0043FCFE Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: __wsopen_s
                  • String ID:
                  • API String ID: 3347428461-0
                  • Opcode ID: abfe0aeb3611c65bc85ac37db8e5cac0b71cb654ba67fe438398fff9b6840577
                  • Instruction ID: 389d575f4576099494b0386ddd5197d9fd21681687e5e665cd1bf7e71215225b
                  • Opcode Fuzzy Hash: abfe0aeb3611c65bc85ac37db8e5cac0b71cb654ba67fe438398fff9b6840577
                  • Instruction Fuzzy Hash: 93115A7190420AAFCF05DF58E94499B7BF4EF48310F0040AAF809EB311E630ED15CBA9
                  Function 0044902E Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: a62dc33c8eb1dacff565b839e906bce7cfff218d1b84778382cb48491322aa9a
                  • Instruction ID: bb924868f552fff002450c2847a37319dc2c09cc7617978b7d9d1612509b7404
                  • Opcode Fuzzy Hash: a62dc33c8eb1dacff565b839e906bce7cfff218d1b84778382cb48491322aa9a
                  • Instruction Fuzzy Hash: BDF09A32410108BBEF105EA6DC02CDB3B6DEF89334F10015AFA2492050DA3A8D20ABA5
                  Function 0043B5C6 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeap
                  • String ID:
                  • API String ID: 1279760036-0
                  • Opcode ID: 83a6ad818ff6c53f8a2d04a2b7fff5b2217f6aca838e2851348d419017da65d3
                  • Instruction ID: 1c49de10af20b36cf42706bcee2faa33b4703551abad10f9a5d42b1c0bc37b5e
                  • Opcode Fuzzy Hash: 83a6ad818ff6c53f8a2d04a2b7fff5b2217f6aca838e2851348d419017da65d3
                  • Instruction Fuzzy Hash: 66E0E53120561067EA3026639C02B9B7658DB8A3B8F053127BE18932D2DF28DC0182EE
                  Function 004016E4 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WS2_32(00000202,00000000), ref: 004016F9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Startup
                  • String ID:
                  • API String ID: 724789610-0
                  • Opcode ID: e50017129938cfbe3221009fc5a66636bc529876c3cda7727663cbcf13723da3
                  • Instruction ID: 157fcaaa1b1371d0012ff25f3652b264474b5e48eafd55f8392509abd46d12fa
                  • Opcode Fuzzy Hash: e50017129938cfbe3221009fc5a66636bc529876c3cda7727663cbcf13723da3
                  • Instruction Fuzzy Hash: 10D012339586484EE610AFB5AC5FCA4775CC313A11F0003BAACB5825D6F640161CC7AB
                  Function 00448D6D Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000000,00000000,?,00449148,?,?,00000000,?,00449148,00000000,0000000C), ref: 00448D8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: c2e0d357e21f07e3f2a4c2d0d6279b3205c94f284d15d234eff5ee6480b74e43
                  • Instruction ID: d24ee2a4cbda0edcb0d4e7760a9dae8735a6f5960ac27fba7fda53134d690632
                  • Opcode Fuzzy Hash: c2e0d357e21f07e3f2a4c2d0d6279b3205c94f284d15d234eff5ee6480b74e43
                  • Instruction Fuzzy Hash: 3AD06C3200010DBBDF029F84DC06EDA3BAAFB48714F018050FA1856020C772E831AB95

                  Non-executed Functions

                  Function 0040F4A7 Relevance: 63.9, APIs: 31, Strings: 5, Instructions: 929COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountEventTick
                  • String ID: }F$PowrProf.dll$SetSuspendState$X|F$hlight
                  • API String ID: 180926312-747135334
                  • Opcode ID: d40f5866fd22c538191de32dc926dd33d7cef8a7ff9488b12de6a57bf2daebf4
                  • Instruction ID: 35850cb6a3a728cc8f930c61bd9325d2332d1fc2fd63d224cbd8043cb7a6a1bd
                  • Opcode Fuzzy Hash: d40f5866fd22c538191de32dc926dd33d7cef8a7ff9488b12de6a57bf2daebf4
                  • Instruction Fuzzy Hash: DF52D53161430067C615FB72CC5AAAE369A9F90709F00493FF646B71D2EEBC9A48C75E
                  Function 0040511A Relevance: 35.8, APIs: 10, Strings: 10, Instructions: 835filesleepCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 0040513C
                  • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 0040520A
                  • DeleteFileW.KERNEL32(00000000), ref: 0040522C
                    • Part of subcall function 0041474A: FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 004147E1
                    • Part of subcall function 0041474A: FindNextFileW.KERNEL32(00000000,?), ref: 00414818
                    • Part of subcall function 0041474A: RemoveDirectoryW.KERNEL32(?), ref: 00414892
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                    • Part of subcall function 004018E7: WaitForSingleObject.KERNEL32(?,00000000,?,00000008,00000004,00000000,0000000C,00000000), ref: 0040196B
                    • Part of subcall function 004018E7: SetEvent.KERNEL32(?), ref: 00401999
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405619
                  • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004056FA
                  • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00405946
                  • DeleteFileA.KERNEL32(?), ref: 00405AD4
                    • Part of subcall function 00405C8E: __EH_prolog.LIBCMT ref: 00405C93
                    • Part of subcall function 00405C8E: FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
                    • Part of subcall function 00405C8E: __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
                    • Part of subcall function 00405C8E: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
                  • Sleep.KERNEL32(000007D0), ref: 00405B7A
                  • StrToIntA.SHLWAPI(00000000,00000000), ref: 00405BBC
                    • Part of subcall function 00414D34: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E29
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Find$AttributesDeleteEventFirstNext$DirectoryDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersRemoveShellSingleSleepStringsSystemThrowTimeWaitsend
                  • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$X|F$open
                  • API String ID: 577278831-3555090288
                  • Opcode ID: aec2215c36828261dda0155639b9b8943aca7c8b8ce1cde43719ca40adfe20b2
                  • Instruction ID: 05b9a50af31d946e475c7671406445b29bc56f919fc344a53d22da7f997295c9
                  • Opcode Fuzzy Hash: aec2215c36828261dda0155639b9b8943aca7c8b8ce1cde43719ca40adfe20b2
                  • Instruction Fuzzy Hash: 2842C0716143006BC604FB76CD5B9AF76A9AF91308F40093FF646671D2EE7C9A0C879A
                  Function 00403B0B Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 275pipesleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • __Init_thread_footer.LIBCMT ref: 00403B5D
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • __Init_thread_footer.LIBCMT ref: 00403B9A
                  • CreatePipe.KERNEL32(004697C4,004697AC,004696D0,00000000,004595AC,00000000), ref: 00403C28
                  • CreatePipe.KERNEL32(004697B0,004697CC,004696D0,00000000), ref: 00403C42
                  • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,004696E0,004697B4), ref: 00403CB8
                  • Sleep.KERNEL32(0000012C), ref: 00403D0F
                  • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00403D32
                  • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00403D5C
                  • WriteFile.KERNEL32(00000000,00000000,?,00000000,00467D08,004595B0), ref: 00403E5C
                    • Part of subcall function 0042BE33: __onexit.LIBCMT ref: 0042BE39
                  • Sleep.KERNEL32(00000064), ref: 00403E78
                  • TerminateProcess.KERNEL32(00000000), ref: 00403E91
                  • CloseHandle.KERNEL32 ref: 00403E9D
                  • CloseHandle.KERNEL32 ref: 00403EA5
                  • CloseHandle.KERNEL32 ref: 00403EB7
                  • CloseHandle.KERNEL32 ref: 00403EBF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                  • String ID: SystemDrive$cmd.exe
                  • API String ID: 2994406822-3633465311
                  • Opcode ID: eb2144c6879088a7cc0ca26fa3871148f1d44f3064618a89a7974109d603f9cd
                  • Instruction ID: 2e990afcd00a3dea81e5073800be4d4f6bde31a57dadd250b8f1802511b53a5e
                  • Opcode Fuzzy Hash: eb2144c6879088a7cc0ca26fa3871148f1d44f3064618a89a7974109d603f9cd
                  • Instruction Fuzzy Hash: 38919F71A10214EBDB01AFA5ED459AE3B6DEB40706B04403BF501B72E1EBF95E04CB9E
                  Function 00407FDE Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040805D
                  • FindClose.KERNEL32(00000000), ref: 00408077
                  • FindNextFileA.KERNEL32(00000000,?), ref: 004081AE
                  • FindClose.KERNEL32(00000000), ref: 004081D4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$CloseFile$FirstNext
                  • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                  • API String ID: 1164774033-3681987949
                  • Opcode ID: a72677bb71a166f414519e8a5b659af094328504ea03926f4c9eda5a675a91fd
                  • Instruction ID: 4f94b8bf480a2d25f60048e0cbb89c7e7dd9d8c7e934bf49c66b8109683cb02a
                  • Opcode Fuzzy Hash: a72677bb71a166f414519e8a5b659af094328504ea03926f4c9eda5a675a91fd
                  • Instruction Fuzzy Hash: F5519230A101299ECB14FB71DE5ADEEB734AF21304F10017FE646761D2EFB85A89CA59
                  Function 004081F9 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 143fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 00408271
                  • FindClose.KERNEL32(00000000), ref: 00408287
                  • FindNextFileA.KERNEL32(00000000,?), ref: 004082B1
                  • DeleteFileA.KERNEL32(00000000,00000000), ref: 00408359
                  • GetLastError.KERNEL32 ref: 00408363
                  • FindNextFileA.KERNEL32(00000000,00000010), ref: 00408377
                  • FindClose.KERNEL32(00000000), ref: 0040839D
                  • FindClose.KERNEL32(00000000), ref: 004083BE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$Close$Next$DeleteErrorFirstLast
                  • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                  • API String ID: 532992503-432212279
                  • Opcode ID: 46cec3afd8b3d72ed845a21a913d91c7a5ebeaa133da141a060078f1811b4510
                  • Instruction ID: 4185785fb554f999c1faeeb4acac9fdbdfeb737a12451b5992b0b0addca91318
                  • Opcode Fuzzy Hash: 46cec3afd8b3d72ed845a21a913d91c7a5ebeaa133da141a060078f1811b4510
                  • Instruction Fuzzy Hash: C441C530A002199ACB14FBB5DD5A9EE7734AF51704F5040BFF942B21D2EF7C4A89CA99
                  Function 00412E4B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 226serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00468490), ref: 00412E62
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,l)A), ref: 00412EA9
                  • GetLastError.KERNEL32 ref: 00412EB7
                  • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,l)A), ref: 00412EE8
                  • OpenServiceW.ADVAPI32(00000000,?,00000001,00000000,0045F170,00000000,0045F170,00000000,0045F170), ref: 00412FB8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: EnumOpenServicesStatus$ErrorLastManagerService
                  • String ID: l)A
                  • API String ID: 2247270020-4212196795
                  • Opcode ID: 96907549ab7fac77e0f00fbabe1c494029951f25acc6c89836a5e24d9ef3990a
                  • Instruction ID: d264db8b8c5d9a478fa0d09f102a3fd09bb1d4c248c32138f15a226e4fea9a1d
                  • Opcode Fuzzy Hash: 96907549ab7fac77e0f00fbabe1c494029951f25acc6c89836a5e24d9ef3990a
                  • Instruction Fuzzy Hash: C3815C31D00109ABCB19EFA1DC569EEBB38AF14315F20802AF51677191EF786F49CB68
                  Function 004124EF Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 206COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0$1$2$3$4$5$6$7
                  • API String ID: 0-3177665633
                  • Opcode ID: 5e13a832282d04adc9dacdba49628d85bf4086f26f455590aac93263adb8a903
                  • Instruction ID: 35f2c05aca6331e3732f54b1b5bc80d0b86fa55a0efc87c60c4c190cdc24fdc2
                  • Opcode Fuzzy Hash: 5e13a832282d04adc9dacdba49628d85bf4086f26f455590aac93263adb8a903
                  • Instruction Fuzzy Hash: 1A71E2B05083019ED315EF21C966FAA77949F44310F10492FF692A72D1DAB89D8DC75B
                  Function 0041474A Relevance: 13.6, APIs: 9, Instructions: 147fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(?,?,00467C58,?), ref: 004147E1
                  • FindNextFileW.KERNEL32(00000000,?), ref: 00414818
                  • RemoveDirectoryW.KERNEL32(?), ref: 00414892
                  • FindClose.KERNEL32(00000000), ref: 004148C0
                  • RemoveDirectoryW.KERNEL32(?), ref: 004148C9
                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 004148E6
                  • DeleteFileW.KERNEL32(?), ref: 004148F3
                  • GetLastError.KERNEL32 ref: 0041491B
                  • FindClose.KERNEL32(00000000), ref: 0041492E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                  • String ID:
                  • API String ID: 2341273852-0
                  • Opcode ID: 1ebe723779194890503f37595d29db6cdbaca6cd5793d8023b4d327d9dbf2b4b
                  • Instruction ID: 59a2a6a0a0dd354fac896b1dee2bd25d777e498892ce3c8d72424d50605989a0
                  • Opcode Fuzzy Hash: 1ebe723779194890503f37595d29db6cdbaca6cd5793d8023b4d327d9dbf2b4b
                  • Instruction Fuzzy Hash: 825109785001598ACF24EF78C8496FBB375BF95304F5041FAE85593250EB758ECACB58
                  Function 0040D9A0 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 388registrylibraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA73
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040DA7F
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0040DC4F
                  • GetProcAddress.KERNEL32(00000000), ref: 0040DC56
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressCloseCreateLibraryLoadProcsend
                  • String ID: SHDeleteKeyW$Shlwapi.dll
                  • API String ID: 2127411465-314212984
                  • Opcode ID: 6447683f1b1733a961ecda42eb74efba603233e643243340e654287d72e7e6c9
                  • Instruction ID: 9f2fa19e73ec771d4a0adc0517a574324c105796e8dfe951968de96579d08b7c
                  • Opcode Fuzzy Hash: 6447683f1b1733a961ecda42eb74efba603233e643243340e654287d72e7e6c9
                  • Instruction Fuzzy Hash: A1C1F972A1430066C604BB76CD5B96E36A99F91744F40093FF646BB1D3ED7C9A0CC39A
                  Function 004447E0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C663
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004448EC
                  • IsValidCodePage.KERNEL32(00000000), ref: 00444947
                  • IsValidLocale.KERNEL32(?,00000001), ref: 00444956
                  • GetLocaleInfoW.KERNEL32(?,00001001,0043A127,00000040,?,0043A247,00000055,00000000,?,?,00000055,00000000), ref: 0044499E
                  • GetLocaleInfoW.KERNEL32(?,00001002,0043A1A7,00000040), ref: 004449BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                  • String ID: |9E
                  • API String ID: 745075371-2862116995
                  • Opcode ID: 6517d000027fcbf355b133341a61dcf5ff39b3889022135580409da348402ddb
                  • Instruction ID: c92189df352bf76efcbee2e2a3257d68bbccd9af34c5c9e418e2743967608ea8
                  • Opcode Fuzzy Hash: 6517d000027fcbf355b133341a61dcf5ff39b3889022135580409da348402ddb
                  • Instruction Fuzzy Hash: BF51A275E00219ABFB10EFA5DC45BBF73B8EF88705F14002BE910E7290D7789A449769
                  Function 0044460C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0044492B,?,00000000), ref: 004446A5
                  • GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0044492B,?,00000000), ref: 004446CE
                  • GetACP.KERNEL32(?,?,0044492B,?,00000000), ref: 004446E3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: +ID$ACP$OCP
                  • API String ID: 2299586839-3856522704
                  • Opcode ID: cd9fadb5b5fbe73cee739787da7e12a62cd3f1960f4a65a8d1d09c9eb58ac8cd
                  • Instruction ID: c6fe66558d1291670d97f1f96fd45a312db4112c26bc7529de6b7212a7c10bee
                  • Opcode Fuzzy Hash: cd9fadb5b5fbe73cee739787da7e12a62cd3f1960f4a65a8d1d09c9eb58ac8cd
                  • Instruction Fuzzy Hash: 7921A126A00104ABF7308F54D901B9B73AAEFD6F65B578466E909DB310E73EDE41C398
                  Function 00407EC0 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 00407EFC
                  • GetLastError.KERNEL32 ref: 00407F06
                  Strings
                  • [Chrome StoredLogins not found], xrefs: 00407F20
                  • [Chrome StoredLogins found, cleared!], xrefs: 00407F2C
                  • UserProfile, xrefs: 00407ECC
                  • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 00407EC7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  • API String ID: 2018770650-1062637481
                  • Opcode ID: 03905197c63807e49d752704fb3a915704c341a31f53a087d5c142ecebb14106
                  • Instruction ID: 2844ca57af16fbe20e8b2b3324451e36b3965f0c50f9402fd351fcd483c36375
                  • Opcode Fuzzy Hash: 03905197c63807e49d752704fb3a915704c341a31f53a087d5c142ecebb14106
                  • Instruction Fuzzy Hash: D2012631E941069BCA04BB75CE1B8EE7724A961305F50013FFA02731D2ED7E5909C2DB
                  Function 00410D25 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000028,00000026,00000000,?,?,?,0040FC02,00000026), ref: 00410D32
                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0040FC02,00000026), ref: 00410D39
                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00410D4B
                  • AdjustTokenPrivileges.ADVAPI32(00000026,00000000,?,00000000,00000000,00000000), ref: 00410D6A
                  • GetLastError.KERNEL32 ref: 00410D70
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                  • String ID: SeShutdownPrivilege
                  • API String ID: 3534403312-3733053543
                  • Opcode ID: 005ac2fd3aa13d631cc96157393ce89f281683ea659a9513876e66e3ba1009c3
                  • Instruction ID: ffa9c983efe9b31ed6450dac27be982ff06a25f4c9877fb6036920e8f9a7ed49
                  • Opcode Fuzzy Hash: 005ac2fd3aa13d631cc96157393ce89f281683ea659a9513876e66e3ba1009c3
                  • Instruction Fuzzy Hash: 52F05E75901128BBDB109BE0DD0DEEF7FBCEF46319F000061F905A2051D6744A09CBB5
                  Function 004476B8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: __floor_pentium4
                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                  • API String ID: 4168288129-2761157908
                  • Opcode ID: f26a1156701156544b6b5d25301be7810b43124cdce6ee77678dc33005582dd9
                  • Instruction ID: db0babf06ad3de6f7f618d5a7d0c73918af3c5dafe8b3c2b6264871fe941357a
                  • Opcode Fuzzy Hash: f26a1156701156544b6b5d25301be7810b43124cdce6ee77678dc33005582dd9
                  • Instruction Fuzzy Hash: ECC22971E086288FEB25CE289D407EEB7B5EB44305F1545EBD44DE7240EB78AE828F45
                  Function 004072E5 Relevance: 9.3, APIs: 6, Instructions: 316fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 004072EA
                    • Part of subcall function 0040170E: connect.WS2_32(?,?,?), ref: 00401726
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00407382
                  • FindFirstFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 004073E0
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00407438
                  • FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?,?,?), ref: 0040744F
                    • Part of subcall function 00401C4F: WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C59
                    • Part of subcall function 00401C4F: SetEvent.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C68
                    • Part of subcall function 00401C4F: CloseHandle.KERNEL32(?,?,?,00000000,00401FE3,?,?,?,00401F7A), ref: 00401C71
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0040768B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$Close$File$EventException@8FirstH_prologHandleNextObjectSingleThrowWaitconnectsend
                  • String ID:
                  • API String ID: 4178801697-0
                  • Opcode ID: a2a5a5a2fb7719402060d17954d5f187711b51555f2e13b115c5e37fcb2136a2
                  • Instruction ID: 5e4876d4a4a7dc638a55f6d92524dabf71615842e1d611546469fd3dc7bbd544
                  • Opcode Fuzzy Hash: a2a5a5a2fb7719402060d17954d5f187711b51555f2e13b115c5e37fcb2136a2
                  • Instruction Fuzzy Hash: 8BC1AD319001189BDB14EB60DD92AEE7779AF10318F50417EE906B71E1EF38AF49CB99
                  Function 0041311D Relevance: 9.0, APIs: 6, Instructions: 42serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,?,00412DA8,00000000), ref: 00413129
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00412DA8,00000000), ref: 0041313D
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DA8,00000000), ref: 0041314A
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00412DA8,00000000), ref: 00413155
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DA8,00000000), ref: 00413167
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,00412DA8,00000000), ref: 0041316A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ManagerStart
                  • String ID:
                  • API String ID: 276877138-0
                  • Opcode ID: 87e9fc9bedbc5a357e8ee31cbec511879b42677facf5d0e240742efbe727e957
                  • Instruction ID: bec7c06133c89f649e2bfd37b6159326400c1dade623c89345cc990071d1831c
                  • Opcode Fuzzy Hash: 87e9fc9bedbc5a357e8ee31cbec511879b42677facf5d0e240742efbe727e957
                  • Instruction Fuzzy Hash: ECF0B4759012187FE2116F259C89DFF3B2CDB863A9B00403AF90593240CE78CD4795B8
                  Function 00443EA8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0043A12E,?,?,?,?,00439B85,?,00000004), ref: 00443F8A
                  • _wcschr.LIBVCRUNTIME ref: 0044401A
                  • _wcschr.LIBVCRUNTIME ref: 00444028
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,0043A12E,00000000,0043A24E), ref: 004440CB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                  • String ID: |9E
                  • API String ID: 4212172061-2862116995
                  • Opcode ID: d9d7672ef082b98a1509e5f820655f2facbea7f7046a1e8d76539270322a7f4e
                  • Instruction ID: 31d34a130b3a729fbb28845095a51c6b44683f80b175821af3f170206089662c
                  • Opcode Fuzzy Hash: d9d7672ef082b98a1509e5f820655f2facbea7f7046a1e8d76539270322a7f4e
                  • Instruction Fuzzy Hash: F6610C71A00206AAFB24AF35CC42BB773A8EF44B15F14046FFA05DB681EB78DD548769
                  Function 00413B3A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 00413B4B
                  • LoadResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413B5F
                  • LockResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413B66
                  • SizeofResource.KERNEL32(00000000,?,?,0040A627,00000000), ref: 00413B75
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID: SETTINGS
                  • API String ID: 3473537107-594951305
                  • Opcode ID: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
                  • Instruction ID: 49884d02b580b25fa5a7f21f27448669bae6497f2193e2261974fa49dfd00e01
                  • Opcode Fuzzy Hash: 263d98506411805d18de30793c85a23ac3b7c2f73439d8eab52d1c55755b40a5
                  • Instruction Fuzzy Hash: A8E04F7AA00610AFC7212FE1AD8CD0B7EB9EBCA752B140235FD01D7221EA768804CF59
                  Function 00407733 Relevance: 7.7, APIs: 5, Instructions: 245fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00407738
                    • Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79
                  • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004077B0
                  • FindNextFileW.KERNEL32(00000000,?), ref: 004077D9
                  • FindClose.KERNEL32(000000FF), ref: 004077F0
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstH_prologNextchar_traits
                  • String ID:
                  • API String ID: 3260228402-0
                  • Opcode ID: 48a812ebe57da1145a3ed2a4e1717bfcafc659f98a68f7f2abbf034b27950549
                  • Instruction ID: fcbc0df6a1822dbcecb7010c47b11ebfa4ac72cdf2e3eb7e4c2cf03aa24a3859
                  • Opcode Fuzzy Hash: 48a812ebe57da1145a3ed2a4e1717bfcafc659f98a68f7f2abbf034b27950549
                  • Instruction Fuzzy Hash: 99914A329000199BCB15FFA1CC929EE7779AF10348F14417BE906B71E1EB39AB49CB59
                  Function 00405C8E Relevance: 7.7, APIs: 5, Instructions: 210fileCOMMON
                  Download Yara Rule
                  APIs
                  • __EH_prolog.LIBCMT ref: 00405C93
                  • FindFirstFileW.KERNEL32(00000000,?,004596B8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D4C
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 00405D74
                  • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405D81
                  • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00405EE1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                  • String ID:
                  • API String ID: 1771804793-0
                  • Opcode ID: 4dc10004f8516029f12307610167d6d01f67c603a4dc2334a114a19cb8d2d58e
                  • Instruction ID: 453d059f9ac87b88ae1432b4cf64c859f612644ce6363cecf91ca4319d81190e
                  • Opcode Fuzzy Hash: 4dc10004f8516029f12307610167d6d01f67c603a4dc2334a114a19cb8d2d58e
                  • Instruction Fuzzy Hash: C4716D71900109AACB04FF61CD569EE7769EF20348F50417BF906A71D2EB389B49CB98
                  Function 0040CB6C Relevance: 7.7, APIs: 5, Instructions: 206memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040C60C: SetLastError.KERNEL32(0000000D,0040CB8B,00000000,00000000,?), ref: 0040C612
                  • SetLastError.KERNEL32(000000C1,00000000,00000000,?), ref: 0040CBA2
                  • GetNativeSystemInfo.KERNEL32(?,00000000,00000000,?), ref: 0040CC15
                  • GetProcessHeap.KERNEL32(00000008,00000040), ref: 0040CC81
                  • HeapAlloc.KERNEL32(00000000), ref: 0040CC88
                  • SetLastError.KERNEL32(0000045A), ref: 0040CD9A
                    • Part of subcall function 0040CB1F: VirtualFree.KERNEL32(00008000,00000000,00000000,?,0040CCA1,00000000,00000000,00008000,00000000), ref: 0040CB2B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$Heap$AllocFreeInfoNativeProcessSystemVirtual
                  • String ID:
                  • API String ID: 486403682-0
                  • Opcode ID: 22395f4933e44b814d9213120d1e83cd35a3ad6338915e567d393491fa60e4ed
                  • Instruction ID: ea73f07de6651c4e82948dc819bc37a2f9300d69118c5b4379de466dbde7bce3
                  • Opcode Fuzzy Hash: 22395f4933e44b814d9213120d1e83cd35a3ad6338915e567d393491fa60e4ed
                  • Instruction Fuzzy Hash: 5B61CF70A00201EBDB109F66C9C2B6ABBB5BF84704F14427AE905BB7C1D77CE941CB99
                  Function 00414D34 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                  • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 00414E29
                    • Part of subcall function 0040D202: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0040D211
                    • Part of subcall function 0040D202: RegSetValueExA.KERNELBASE(?,00459EE8,00000000,?,00000000,00000000,00467F30,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D239
                    • Part of subcall function 0040D202: RegCloseKey.KERNELBASE(?,?,?,0040A763,00459EE8,5.0.0 Light), ref: 0040D244
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateInfoParametersSystemValue
                  • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                  • API String ID: 4127273184-3576401099
                  • Opcode ID: 78191bc79f49b320be693b0004d014e668833fe2ef1668b744f9c0e77b77d201
                  • Instruction ID: 14f10faeeb16cbab0ab1cfa950db1497f097791f039d57847ba24a01d1ff5ef1
                  • Opcode Fuzzy Hash: 78191bc79f49b320be693b0004d014e668833fe2ef1668b744f9c0e77b77d201
                  • Instruction Fuzzy Hash: 8A11A472B8020073E905317A4D5BFAE2C059782B91F91016FFE017A6D7D9DE4A5943CF
                  Function 004320EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,C:\Users\user\Desktop\SXQdCnmxiH.exe), ref: 004321E4
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,C:\Users\user\Desktop\SXQdCnmxiH.exe), ref: 004321EE
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,C:\Users\user\Desktop\SXQdCnmxiH.exe), ref: 004321FB
                  Strings
                  • C:\Users\user\Desktop\SXQdCnmxiH.exe, xrefs: 00432105
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID: C:\Users\user\Desktop\SXQdCnmxiH.exe
                  • API String ID: 3906539128-347963224
                  • Opcode ID: 02b13287a3595de36f67e55b3cb109ba53d031277fde6a3259b414d85e8154b0
                  • Instruction ID: c4d41cae6f202ef3d0728250dde5efdd4fa0880195ef5f8b9763ae35930ad3ae
                  • Opcode Fuzzy Hash: 02b13287a3595de36f67e55b3cb109ba53d031277fde6a3259b414d85e8154b0
                  • Instruction Fuzzy Hash: 7131D574D412289BCB21DF65DD89B9DB7B8BF08310F5042EAE81CA7251E7749B818F49
                  Function 0040A7FF Relevance: 6.1, APIs: 4, Instructions: 127processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00414407: GetCurrentProcess.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 00414418
                    • Part of subcall function 00414407: IsWow64Process.KERNEL32(00000000,?,00000002,0040907E,WinDir,00000000,00000000), ref: 0041441F
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A81F
                  • Process32FirstW.KERNEL32(00000000,?), ref: 0040A841
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040A9C8
                  • CloseHandle.KERNEL32(00000000), ref: 0040A9D7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ProcessProcess32$CloseCreateCurrentFirstHandleNextSnapshotToolhelp32Wow64
                  • String ID:
                  • API String ID: 715332099-0
                  • Opcode ID: 8cea1e09518d7db44a5dac986d4f7b1bf2f649968252413dc2545da2b34be04f
                  • Instruction ID: 521dabc77453bcb0d366b47ad7fe17908ff1c6cc59b4fd0e678ff5608fd382c5
                  • Opcode Fuzzy Hash: 8cea1e09518d7db44a5dac986d4f7b1bf2f649968252413dc2545da2b34be04f
                  • Instruction Fuzzy Hash: B6412031A002299BC715FB61DC56AEEB379AF50304F1041BEF60A721D2EF785EC9CA59
                  Function 00404A3B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157filenetworkCOMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00404B51
                  • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00404BE8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: DownloadExecuteFileShell
                  • String ID: open
                  • API String ID: 2825088817-2758837156
                  • Opcode ID: 7352c15f6536f63560b643f24dfb25d26e55f974590ec2649859a29435151220
                  • Instruction ID: 35a4ebca1e0eedd33469471f32abd1b573a6d2d001e2c1539756ec9c34dff70f
                  • Opcode Fuzzy Hash: 7352c15f6536f63560b643f24dfb25d26e55f974590ec2649859a29435151220
                  • Instruction Fuzzy Hash: 1341F47160430066DA15FA31C95AA6E37A99BC1705F40093FBB42BB1D2EE7C9A0CC75A
                  Function 00444293 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C663
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004442E7
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444338
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004443F8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorInfoLastLocale$_free$_abort
                  • String ID:
                  • API String ID: 2829624132-0
                  • Opcode ID: 5a697efdbd16430438a37962a99753d2dbef6065a103794a1ee48c219bada2c3
                  • Instruction ID: b7550aed3b493740c364c046e61b81ea2d7e197d2446d9bdf00d9a7a254af881
                  • Opcode Fuzzy Hash: 5a697efdbd16430438a37962a99753d2dbef6065a103794a1ee48c219bada2c3
                  • Instruction Fuzzy Hash: 9561B171A001079BFB28DF25CC82BBA77A8FF84704F1442ABED05C6685EB78D951DB58
                  Function 0042B19B Relevance: 4.5, APIs: 3, Instructions: 33encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,00000000,00000001,?,0042AF52,00000024,00000006,00000000,00000000), ref: 0042B1B0
                  • CryptGenRandom.ADVAPI32(00000000,00000000,?,?,0042AF52,00000024,00000006,00000000,00000000,?,?,?,?,?,?,00425774), ref: 0042B1C5
                  • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0042AF52,00000024,00000006,00000000,00000000,?,?,?,?,?,?,00425774,00000006), ref: 0042B1D7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireRandomRelease
                  • String ID:
                  • API String ID: 1815803762-0
                  • Opcode ID: 44790d241726070a8538b1cfb3a01e3b0616d6fed35af51b31dbe4d762727151
                  • Instruction ID: 99b08457bcb1c86eba9384c602cc432831f81beb16bfd056ec796fc6dabe24e6
                  • Opcode Fuzzy Hash: 44790d241726070a8538b1cfb3a01e3b0616d6fed35af51b31dbe4d762727151
                  • Instruction Fuzzy Hash: 7DF09235308220BBEB311F15FC18F673F59DB82BE8F640136FA09E50E4D7628812969C
                  Function 004389B4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000003,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002,00000000,?,0043B5C5,00000003), ref: 004389D5
                  • TerminateProcess.KERNEL32(00000000,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002,00000000,?,0043B5C5,00000003), ref: 004389DC
                  • ExitProcess.KERNEL32 ref: 004389EE
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 5053c5042ab8a702aed5d37823a3e82b60a3b6d5fbb9c76a68a5d583bca2dd4e
                  • Instruction ID: 9077858e183ca5193bab35e0c6da0670afc4f5376d598408ceef6535c01fa92d
                  • Opcode Fuzzy Hash: 5053c5042ab8a702aed5d37823a3e82b60a3b6d5fbb9c76a68a5d583bca2dd4e
                  • Instruction Fuzzy Hash: 82E04635401248ABCF116F64DC0AA5A7F29FF4A386F005429F8098B222CF39EC42DB48
                  Function 00414085 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004104FF,00000000), ref: 00414090
                  • NtSuspendProcess.NTDLL(00000000), ref: 0041409D
                  • CloseHandle.KERNEL32(00000000,?,?,004104FF,00000000), ref: 004140A6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenSuspend
                  • String ID:
                  • API String ID: 1999457699-0
                  • Opcode ID: 98bcb0a75b01a230d3a7b9bce0f5d78367cd9b842b6af71bcdf543dd3dd9526f
                  • Instruction ID: c720cd441d1fb4c363525b0041f600ad16199b9571234511a1c7b87690cb6eba
                  • Opcode Fuzzy Hash: 98bcb0a75b01a230d3a7b9bce0f5d78367cd9b842b6af71bcdf543dd3dd9526f
                  • Instruction Fuzzy Hash: 5BD0A7375041206782301BAA7C0CC9BEDACEFC6AB17060139F505D32109A70880186E4
                  Function 004140B1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004104DA,00000000), ref: 004140BC
                  • NtResumeProcess.NTDLL(00000000), ref: 004140C9
                  • CloseHandle.KERNEL32(00000000,?,?,004104DA,00000000), ref: 004140D2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpenResume
                  • String ID:
                  • API String ID: 3614150671-0
                  • Opcode ID: 9fad2a502fa7faa9e5f51105b4b9b611271f95e00a70c0f950de53cf66ccd0e7
                  • Instruction ID: b573a9e7073962d667ed29fcfea639aa8662b63cbaacc0304d5545022f3d3f39
                  • Opcode Fuzzy Hash: 9fad2a502fa7faa9e5f51105b4b9b611271f95e00a70c0f950de53cf66ccd0e7
                  • Instruction Fuzzy Hash: 18D0A7375045206382311BAA7C0CC9BED6CEFC6AB27060139F505D32109A70880586E4
                  Function 00440A49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: 33736077106ea9c41a55e7d57557f930262da454b6c215421cb9d1619f4ffb89
                  • Instruction ID: 8b481f37cf34a6864c2d130e8fdcc313354078d9f2934eb3c92a84ffaea2f645
                  • Opcode Fuzzy Hash: 33736077106ea9c41a55e7d57557f930262da454b6c215421cb9d1619f4ffb89
                  • Instruction Fuzzy Hash: 533135719002496FEB24DEB9CC85EFB7BBDDB85308F0401AEFA18D7251E634AE508B54
                  Function 0043D31C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00439B85,?,00000004), ref: 0043D36F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID: GetLocaleInfoEx
                  • API String ID: 2299586839-2904428671
                  • Opcode ID: 64a7c0f2a9de8ab2aaecb69340f8927a81e6880a3c6918ded6173dccb186d561
                  • Instruction ID: 99bc655a3bc1be28c86baa9407a67e1ab84f9eff57967d72aef827ad82e7914b
                  • Opcode Fuzzy Hash: 64a7c0f2a9de8ab2aaecb69340f8927a81e6880a3c6918ded6173dccb186d561
                  • Instruction Fuzzy Hash: 26F0F031E40318BBCB11AF61AC02F6E7B25EF09B11F00001AFD05672A0DE759E10D79E
                  Function 0043B680 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 924d3e53c1e03b780691302e42ee5c6770a1e5cbaa53b05eb7f5580d33f8b10d
                  • Instruction ID: 0b6f7ab68621607683436a4c384d7e772e94304ea69e48c1928831daa74a75f7
                  • Opcode Fuzzy Hash: 924d3e53c1e03b780691302e42ee5c6770a1e5cbaa53b05eb7f5580d33f8b10d
                  • Instruction Fuzzy Hash: 5D023C71E002199BDF14DFA9C8807AEF7F5EF88324F25816AD919E7344D734AA41CB94
                  Function 00404CF3 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNEL32(00000000,?), ref: 00404D0E
                  • FindNextFileW.KERNEL32(00000000,?,?), ref: 00404DCE
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$FirstNextsend
                  • String ID:
                  • API String ID: 4113138495-0
                  • Opcode ID: 505f218192b50bd77820bfb60d5f156b65f0f4f4987af29c65fb0a3728c195aa
                  • Instruction ID: 6f49344318bfe85daec384318d0861b169a496eeea52fdc1f4ab8bff2f12ce31
                  • Opcode Fuzzy Hash: 505f218192b50bd77820bfb60d5f156b65f0f4f4987af29c65fb0a3728c195aa
                  • Instruction Fuzzy Hash: DE218071910118AACB04FBA1DC9ADEE7738AF51308F40017BF60A771D1EF786A49CA99
                  Function 004454FB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004454F6,?,?,00000008,?,?,00449C5D,00000000), ref: 00445728
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionRaise
                  • String ID:
                  • API String ID: 3997070919-0
                  • Opcode ID: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
                  • Instruction ID: d0ea70422cec9f165c84079b10fdce7f9c306530441617810e3d9b208016dc25
                  • Opcode Fuzzy Hash: 57b167dff027822b40cd9bf0cc99b9618bd263b207ef16c4545e6c5eba121c6f
                  • Instruction Fuzzy Hash: 9DB16F31510A08DFEB15CF28C48AB657BE1FF45364F658669E899CF3A2C339D982CB44
                  Function 0042C37B Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                  Download Yara Rule
                  APIs
                  • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 0042C394
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: FeaturePresentProcessor
                  • String ID:
                  • API String ID: 2325560087-0
                  • Opcode ID: 3e73572192df25099f623df8e9ec90d92daa5c76d3d8bfcedde04a24219424a9
                  • Instruction ID: 06289575ebfd2b144f51e73def67dabbd1ce3b4c491e5894815ca5d526aa7d77
                  • Opcode Fuzzy Hash: 3e73572192df25099f623df8e9ec90d92daa5c76d3d8bfcedde04a24219424a9
                  • Instruction Fuzzy Hash: 4151A071E012259BDB28CF69E9C56AEBBF0FF44314F62806AD815E7350E3789940CB65
                  Function 004444E3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C663
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00444537
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$InfoLocale_abort
                  • String ID:
                  • API String ID: 1663032902-0
                  • Opcode ID: a2d943a086185b7fc15ae0d4757faef8adc798fcf4b9c2ae125c48aeb90dc98f
                  • Instruction ID: 0375e17c0aef0fa5086038b5f7089d8883eb037e1f51a5b42556dae727e64806
                  • Opcode Fuzzy Hash: a2d943a086185b7fc15ae0d4757faef8adc798fcf4b9c2ae125c48aeb90dc98f
                  • Instruction Fuzzy Hash: 7421B37250021ABBFF249F65DC82BBB73A8EB85314F10017BEA01D6281EB799D41CB59
                  Function 0044416B Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • EnumSystemLocalesW.KERNEL32(00444293,00000001,00000000,?,0043A127,?,004448C0,00000000,?,?,?), ref: 004441DD
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 3502736ba63b8e2c7d2c35b1c24bef305e40c3b3e814cca2c2f1ad96b4cddafe
                  • Instruction ID: d817b4c82914c360351b7ae4efef5bcd2a1477d4c4c983c316b00783dbbb98dd
                  • Opcode Fuzzy Hash: 3502736ba63b8e2c7d2c35b1c24bef305e40c3b3e814cca2c2f1ad96b4cddafe
                  • Instruction Fuzzy Hash: 9B11553A2043005FEB189F39D8917BBB792FFC0368B14442EE94697B40D779B842C740
                  Function 00444713 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004444B1,00000000,00000000,?), ref: 0044473F
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$InfoLocale_abort_free
                  • String ID:
                  • API String ID: 2692324296-0
                  • Opcode ID: 0643c3a1bd1a9dd71bf00954fb3fb47e5b33a20a2d41db757f750b7f10676e6f
                  • Instruction ID: c41b3cfd152ec3217f3411773d566e8b8c6644d072675bcfad230fe154c94bdb
                  • Opcode Fuzzy Hash: 0643c3a1bd1a9dd71bf00954fb3fb47e5b33a20a2d41db757f750b7f10676e6f
                  • Instruction Fuzzy Hash: 15F0F936900115BBFB249B258846BBB7758EB81758F04456AEC15A3240EB78BD43C6D4
                  Function 00444206 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • EnumSystemLocalesW.KERNEL32(004444E3,00000001,?,?,0043A127,?,00444884,0043A127,?,?,?,?,?,0043A127,?,?), ref: 00444252
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: a9a1ec533c4e2d1cea5ea59d622ff66105d46555b1406077cbd2a6d00cfb2eaa
                  • Instruction ID: 8685162fc4afcdf5fd098cdcf66e118da8e65faba114f29a95636c84a7f67ac7
                  • Opcode Fuzzy Hash: a9a1ec533c4e2d1cea5ea59d622ff66105d46555b1406077cbd2a6d00cfb2eaa
                  • Instruction Fuzzy Hash: 5AF0C2762043045FEB245F39AC81B7ABB95FFC07A8F15446EFA458B680D6B5AC01C654
                  Function 0043CEB5 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043AD17: EnterCriticalSection.KERNEL32(-00465500,?,004386DA,00000000,004619A0,0000000C,00438695,00000000,?,?,0043AFB5,00000000,?,0043C6B9,00000001,00000364), ref: 0043AD26
                  • EnumSystemLocalesW.KERNEL32(0043CE6F,00000001,00461B48,0000000C), ref: 0043CEED
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalEnterEnumLocalesSectionSystem
                  • String ID:
                  • API String ID: 1272433827-0
                  • Opcode ID: cee707a51fd36459098d413192212e3f916418e3fb2c362fdff28a2d4da702d2
                  • Instruction ID: 934304bcd1dbe48ad47870c6af69179c224af78579b9be482c8ba5d8f89128c7
                  • Opcode Fuzzy Hash: cee707a51fd36459098d413192212e3f916418e3fb2c362fdff28a2d4da702d2
                  • Instruction Fuzzy Hash: 3CF06272A10210EFDB10EF69D886B4D77F1EB48715F10502AF510DB2E1DBB859409F9A
                  Function 00444120 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • EnumSystemLocalesW.KERNEL32(00444077,00000001,?,?,?,004448E2,0043A127,?,?,?,?,?,0043A127,?,?,?), ref: 00444157
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$EnumLocalesSystem_abort_free
                  • String ID:
                  • API String ID: 1084509184-0
                  • Opcode ID: 137ef4ed3f435a18bd1a40161f596dc9d47b5cf04a749f1b92ca8ae6f06f2a38
                  • Instruction ID: fadf5640887e04a154483176a322383a6a9ac895239db3a81ee7e9225e9547f7
                  • Opcode Fuzzy Hash: 137ef4ed3f435a18bd1a40161f596dc9d47b5cf04a749f1b92ca8ae6f06f2a38
                  • Instruction Fuzzy Hash: A1F0553A30024557DB149F35C849B7B7FA0EFD1B54F06005AEA058BA90C63AA882C754
                  Function 0040A7D3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                  Download Yara Rule
                  APIs
                  • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,0040EF02,00467C58,004685A8,00467C58,00000000,00467C58,00000000,00467C58,5.0.0 Light), ref: 0040A7E7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoLocale
                  • String ID:
                  • API String ID: 2299586839-0
                  • Opcode ID: 6ddfbf7d2207e5d6d8ec799a117bb3087f28e3f41abf0016fa46f88250cd763c
                  • Instruction ID: 9a798ae02f157338c708f63c1b9ad51c28855ef9b4bc681706038201a566eb8d
                  • Opcode Fuzzy Hash: 6ddfbf7d2207e5d6d8ec799a117bb3087f28e3f41abf0016fa46f88250cd763c
                  • Instruction Fuzzy Hash: 10D05B7074011D77D51496859C0EEAA779CD701755F000166BE04D72C0D9F05E0447D1
                  Function 0042C6BD Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                  Download Yara Rule
                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002C6C9,0042C179), ref: 0042C6C2
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: 094e6a82d95d6692359290b52c5e995304a6b7eb75435aa066142c39170e18a0
                  • Instruction ID: d9664f68c8221137b110d1ef9bd69654236c1139d3ad4c086aaf65efa94659a4
                  • Opcode Fuzzy Hash: 094e6a82d95d6692359290b52c5e995304a6b7eb75435aa066142c39170e18a0
                  • Instruction Fuzzy Hash:
                  Function 0043680C Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
                  • Instruction ID: 30eacb981cb6278b9ede921612644d04ced7297ace774c55fa6f37c82e0ba73a
                  • Opcode Fuzzy Hash: 00ef9a7d3e26296a65ddfeab7daadc8cf88223517f11c320cda8b7a0b82f5a53
                  • Instruction Fuzzy Hash: 8B5176A060164777EF3CA92884567BF67999F0E304F1AF80FD9C2D7382C62C9D06861E
                  Function 00436A3B Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0
                  • API String ID: 0-4108050209
                  • Opcode ID: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
                  • Instruction ID: 621a70b502a6b5c6d37222a8ff5bbc931b0a3dc879fdfe3d88000f589cd0ccb1
                  • Opcode Fuzzy Hash: c4e470230f592cf2ea01b95aa03d306a2ecdbbcafd652f7a80073b6ae47f5522
                  • Instruction Fuzzy Hash: D551576060060B76DB34696884557BF67D89B0F344F1AF41FD882EB382C50DFD06975E
                  Function 0041FB26 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @
                  • API String ID: 0-2766056989
                  • Opcode ID: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
                  • Instruction ID: 58a32b67fd52e4b5a0fde5ac6498c231c723e7108e1cbf5630fede9056be8aeb
                  • Opcode Fuzzy Hash: afc649a906c918a612c1bf2ed60efbe29a77397457307a03108316727d093398
                  • Instruction Fuzzy Hash: F341F376D102199BCB04CFA9C5817DEFBF1FF88314F25816AE905B3350D375AA828B84
                  Function 0042E220 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: W3@
                  • API String ID: 0-335922567
                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction ID: ec8441004770c7bd0e6604dddaea9bb83db662958cd391b005bda1a29ca50b28
                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                  • Instruction Fuzzy Hash: 6F112677300071C3DA548A6FF4B47B7A39EEAC63207AD43EBC0434B798C12AA9419528
                  Function 0044B470 Relevance: .7, Instructions: 651COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 39c13eaf2b43764aa064e248018f4039e50bf7bd3b8766448cafaa2500434ee3
                  • Instruction ID: dff000e9ce1d075c872209c3bb3a5f7dfcad922372d6c8f972a731bc3d171017
                  • Opcode Fuzzy Hash: 39c13eaf2b43764aa064e248018f4039e50bf7bd3b8766448cafaa2500434ee3
                  • Instruction Fuzzy Hash: 6E322321D68F450DE7239638C862336A248EFB33C5F55D737E81AB5AA6EF29C4C34145
                  Function 00445C19 Relevance: .6, Instructions: 637COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
                  • Instruction ID: 6bb8bb0fec046874f5145361ccca132aba013deabdda64588bf2c44baeb068ef
                  • Opcode Fuzzy Hash: 27ba41c287480f5b8183f811836f76d7f550f221e5fc56609452204e267aaea9
                  • Instruction Fuzzy Hash: 96323731D29F414DE7239634D862336A648AFB73C9F16D737F819B5AA6EB28C4C34105
                  Function 004175D6 Relevance: .6, Instructions: 585COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f25822038f6aa24fa3d9c51f0ef5a40f5636f4ac83753e7b9f54b9c7a827e64b
                  • Instruction ID: 8bb2b10bb431365c82bc5f39601f76eba586852c4335e00b8eeb21bc69606507
                  • Opcode Fuzzy Hash: f25822038f6aa24fa3d9c51f0ef5a40f5636f4ac83753e7b9f54b9c7a827e64b
                  • Instruction Fuzzy Hash: 2022C031A082199BDF15CF68C4817FEB7B5AF44314F18416BEC55AB382DB389E85CB98
                  Function 0042B2A6 Relevance: .5, Instructions: 504COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
                  • Instruction ID: 342c0cdfdd82e5fbc2c8eda45e65bdb4c87943b50b4ff408f9f5404654bea766
                  • Opcode Fuzzy Hash: 093cffccdb6c66a0d7340a85fd8f8add5e90d94a679726dfc5632c4f1750100d
                  • Instruction Fuzzy Hash: F6123F32F002289BDB04DBA5ED527BDB7F2AF88354F25806AD505B7381DA786E51CB84
                  Function 0041F488 Relevance: .4, Instructions: 411COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab85773646df3c18f5c22ee0a8a28f051c4839798a67329570b83ff2c07864e1
                  • Instruction ID: 9e03052f19126324a91828d089483b46de3fc6043dcbe5a2f4130615f5c6c6e0
                  • Opcode Fuzzy Hash: ab85773646df3c18f5c22ee0a8a28f051c4839798a67329570b83ff2c07864e1
                  • Instruction Fuzzy Hash: C5028E716006618FC318CF2EE89057AB7F1FB8D302744863AE495C7796DB34E922CB98
                  Function 00431217 Relevance: .3, Instructions: 345COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction ID: 96633ae29827aa327625e701ee6e741e90ea856618e9f77abfd30a60d1f46689
                  • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                  • Instruction Fuzzy Hash: 09C1C6322050930ADF2D467D843403FBAE19EA67B1B1A675FD8B3CB2D4EE18E525D624
                  Function 0041EF91 Relevance: .3, Instructions: 342COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aae66948a7d14490cd8c9109fbf7412b48e3904d3f2339df8b430768c5abf669
                  • Instruction ID: e919e97572e5d898b1d397796e98c471b128834b3b8a1f3d3c79fe5053aedd28
                  • Opcode Fuzzy Hash: aae66948a7d14490cd8c9109fbf7412b48e3904d3f2339df8b430768c5abf669
                  • Instruction Fuzzy Hash: 0BE18574A102688FCB08CF5DE8A18BE73F1FB49302B45456EE542D7392CB35EA16DB94
                  Function 0043164C Relevance: .3, Instructions: 341COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction ID: 655f015dc29df4e564f0b571a5197a72ff42159226e6b164a1f98aab1704f003
                  • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                  • Instruction Fuzzy Hash: F6C1E6322050930ADF2D467EC43403FBAE19EA67B171E676FD4B2CB2D4EE18E525D624
                  Function 00430DE2 Relevance: .3, Instructions: 331COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction ID: 3881479ca0bd7a27f5bc5d974e6b995f2e0b2f442fb3c81114a012ba865e30ec
                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                  • Instruction Fuzzy Hash: 3BC1C2322050930ADF2D467D843003FFAE19EA67B171A676FD4B3CB2D4EE28E565D624
                  Function 004309CA Relevance: .3, Instructions: 323COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction ID: b13647cfdb381e914d5ee1013fc0bf6decb2f210f91c318e1b774d862af76626
                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                  • Instruction Fuzzy Hash: 7AC1C3322051930ADF2D467D843013FFAE19EA67B171A675FD4B3DB2C4EE28E525C624
                  Function 0041601F Relevance: .3, Instructions: 281COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e1bb503d0bbedacf75994f4392ae90be9d373012142ee5b5dfd7dfd5654fca4
                  • Instruction ID: 43de85b52332da23c8a7353abdbb8753fa52d551abae1b1a77b410637c2692c0
                  • Opcode Fuzzy Hash: 3e1bb503d0bbedacf75994f4392ae90be9d373012142ee5b5dfd7dfd5654fca4
                  • Instruction Fuzzy Hash: 3AB1B4391146969ACB05EF28C0913F27BA1FF6A304F1850B9DC98CFB56D3399512EBB4
                  Function 0041FC69 Relevance: .2, Instructions: 195COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3e365e412f8b0de208b0a3a5c36b5aa6c5d091ac7f8fcabe2bda1b0ef33dad1b
                  • Instruction ID: 9395c0c413ac9ed6cbed414acb3e3e2dad0f067879a9039ab3748abd52584a97
                  • Opcode Fuzzy Hash: 3e365e412f8b0de208b0a3a5c36b5aa6c5d091ac7f8fcabe2bda1b0ef33dad1b
                  • Instruction Fuzzy Hash: FF611C31E0020A9BDF08DFB9D4815EFB7B6FF8C314F14853AE515BB250E674AA498B94
                  Function 00411D39 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 330windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00411D54
                  • CreateCompatibleDC.GDI32(00000000), ref: 00411D60
                    • Part of subcall function 004121BD: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 004121F1
                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00411DCB
                  • DeleteDC.GDI32(004595D0), ref: 00411DE3
                  • DeleteDC.GDI32(00000000), ref: 00411DE6
                  • DeleteObject.GDI32(?), ref: 00411DEA
                  • SelectObject.GDI32(00000000,00000000), ref: 00411E07
                  • DeleteDC.GDI32(004595D0), ref: 00411E1A
                  • DeleteDC.GDI32(00000000), ref: 00411E1D
                  • StretchBlt.GDI32(00000000,00000000,00000000,?,?,004595D0,00000000,00000000,?,?,00CC0020), ref: 00411E41
                  • GetCursorInfo.USER32(?,?,?,00000000), ref: 00411E5C
                  • GetIconInfo.USER32(?,?), ref: 00411E70
                  • DeleteObject.GDI32(?), ref: 00411E95
                  • DeleteObject.GDI32(?), ref: 00411E9E
                  • DrawIcon.USER32(?,00000000,00000000,?), ref: 00411EAD
                  • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 00411ED8
                  • GetObjectA.GDI32(00000000,00000018,?), ref: 00411EFB
                  • LocalAlloc.KERNEL32(00000040,00000001,?,?,00000000), ref: 00411F61
                  • GlobalAlloc.KERNEL32(00000000,?,?,?,00000000), ref: 00411FCA
                  • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00411FEA
                  • DeleteDC.GDI32(004595D0), ref: 00411FFD
                  • DeleteDC.GDI32(00000000), ref: 00412000
                  • DeleteObject.GDI32(00000000), ref: 00412005
                  • GlobalFree.KERNEL32(?), ref: 0041200F
                  • DeleteObject.GDI32(00000000), ref: 004120B4
                  • GlobalFree.KERNEL32(?), ref: 004120BB
                  • DeleteDC.GDI32(004595D0), ref: 004120CA
                  • DeleteDC.GDI32(00000000), ref: 004120D5
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
                  • String ID: DISPLAY
                  • API String ID: 4256916514-865373369
                  • Opcode ID: 4eef245477b2cac1330de91626b8b7de2612fcf0d5592a4cb2291e85346c77b0
                  • Instruction ID: 6754f39ffeb4237899f5a11fba91f3ac5ffa3ca2bb12ebe9639fee6d98070a97
                  • Opcode Fuzzy Hash: 4eef245477b2cac1330de91626b8b7de2612fcf0d5592a4cb2291e85346c77b0
                  • Instruction Fuzzy Hash: B7C16C75E00219AFDB14DFA4DC45BEEBBB9FF09304F00406AEA05E72A0DB74A945CB59
                  Function 004136C3 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041379A
                  • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 004137AE
                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 004137D3
                  • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00467C58,00000000), ref: 004137E9
                  • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041382A
                  • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00413842
                  • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00413856
                  • SetEvent.KERNEL32 ref: 00413877
                  • WaitForSingleObject.KERNEL32(000001F4), ref: 00413888
                  • CloseHandle.KERNEL32 ref: 00413898
                  • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 004138BA
                  • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 004138C4
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                  • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                  • API String ID: 738084811-1354618412
                  • Opcode ID: cae28591a129194fd829c2a9309d6facea740c7026911d0c2981a63167973e0c
                  • Instruction ID: bd2fa42c21b04a4ddea9e7df4cec845cad49f386d966d5b6bb162bea7320357c
                  • Opcode Fuzzy Hash: cae28591a129194fd829c2a9309d6facea740c7026911d0c2981a63167973e0c
                  • Instruction Fuzzy Hash: 1851E4B1A001087FE705BB65DC92CBF3B6CAE51349B10413FF902A71D2EE785E49866E
                  Function 00408AD8 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 237registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                    • Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                    • Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408B30
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408B43
                  • SetFileAttributesW.KERNEL32(?,00000080), ref: 00408B5F
                  • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00408B8D
                  • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408DB0
                  • ExitProcess.KERNEL32 ref: 00408DBC
                    • Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValuechar_traits
                  • String ID: """, 0$")$0-Z$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                  • API String ID: 1918141659-3115136078
                  • Opcode ID: 229165c8840bd156d5f4d1d4d664171c3e035cefed46bf5ea66966c5fd41dc6b
                  • Instruction ID: c5d0144a2ae36d70927c377d3784265ebcbc611e1e7a997d8d49b6472f4ec663
                  • Opcode Fuzzy Hash: 229165c8840bd156d5f4d1d4d664171c3e035cefed46bf5ea66966c5fd41dc6b
                  • Instruction Fuzzy Hash: F9712A31A01204ABCB09EB61E9529EE7769AF50309B64807FB506771D2EF7C2E0AC65C
                  Function 00408817 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 216registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                    • Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                    • Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,C:\Users\user\Desktop\SXQdCnmxiH.exe,00467F30,5.0.0 Light), ref: 00408880
                  • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 00408893
                  • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,C:\Users\user\Desktop\SXQdCnmxiH.exe,00467F30,5.0.0 Light), ref: 004088C5
                  • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,C:\Users\user\Desktop\SXQdCnmxiH.exe,00467F30,5.0.0 Light), ref: 004088D3
                  • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408ACA
                  • ExitProcess.KERNEL32 ref: 00408AD1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Attributes$CloseDeleteExecuteExitModuleNameOpenProcessQueryShellValue
                  • String ID: ")$.vbs$0-Z$5.0.0 Light$C:\Users\user\Desktop\SXQdCnmxiH.exe$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                  • API String ID: 1304132890-1853556966
                  • Opcode ID: ad7f4d21e8e8ed2b0c1518bf84c40d22f4f27f9fcfd724d3c3470fa42a23990e
                  • Instruction ID: 50ebfcbe5c1ebcb9165fbe97e2fa56407b44833999517d5f6a7c08225b8befd7
                  • Opcode Fuzzy Hash: ad7f4d21e8e8ed2b0c1518bf84c40d22f4f27f9fcfd724d3c3470fa42a23990e
                  • Instruction Fuzzy Hash: 5B614D31E00204ABCB09FB61ED569EE7769AF50309B64807FB506771D2EE7C2E0AC65C
                  Function 0040E783 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 109libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040E7CF
                  • LoadLibraryA.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0040E815
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E82F
                  • FreeLibrary.KERNEL32(00000000,?,?,?,00000000,00000000,00000000), ref: 0040E83A
                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E877
                  • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0040E889
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E894
                  • GetProcAddress.KERNEL32(00000000,0045EF50), ref: 0040E8A3
                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040E8BA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Library$AddressFreeProc$Load$DirectorySystem
                  • String ID: PE$\ws2_32$\wship6$\E$getaddrinfo$hE
                  • API String ID: 2490988753-2677158126
                  • Opcode ID: 119303696d228ccd35e595041ed9e773568b2fcf916b89ad7f5f4e0b52eac666
                  • Instruction ID: e2fe4f89bec593c1194b96244b36457e88d8aa3fc30695666a9ebb8fa0cbd204
                  • Opcode Fuzzy Hash: 119303696d228ccd35e595041ed9e773568b2fcf916b89ad7f5f4e0b52eac666
                  • Instruction Fuzzy Hash: 6531D6B3D01218A7DB20AB62DC48A8F77ACAB05704F0049B7EC08B3241D7789E558BEC
                  Function 004415FD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$EnvironmentVariable$_wcschr
                  • String ID:
                  • API String ID: 3899193279-0
                  • Opcode ID: 909bc05674609410ff26f541e5c167ff2ec18223c00ceba45c322b984421b914
                  • Instruction ID: e5e83df4ef68464442205cc1be5f52a6d26416a8e4d4a2ce2ea22800950a0912
                  • Opcode Fuzzy Hash: 909bc05674609410ff26f541e5c167ff2ec18223c00ceba45c322b984421b914
                  • Instruction Fuzzy Hash: ACD149B1A007006BFB20AF75884176B77F8EF45364F0542AFE959973A1EB399880879D
                  Function 0041446B Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,00000000,?), ref: 00414488
                  • lstrlenW.KERNEL32(?), ref: 004144B0
                  • FindFirstVolumeW.KERNEL32(?,00000104), ref: 004144D7
                  • GetLastError.KERNEL32 ref: 004144E5
                  • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041455B
                  • lstrcmpW.KERNEL32(?,?), ref: 00414574
                  • FindNextVolumeW.KERNEL32(00000018,?,00000104), ref: 0041458D
                  • FindVolumeClose.KERNEL32(00000018), ref: 004145CD
                  • GetLastError.KERNEL32 ref: 004145E1
                  • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000105,00000105), ref: 00414613
                  • lstrcatW.KERNEL32(?,?), ref: 0041462B
                  • lstrcpyW.KERNEL32(?,?), ref: 00414639
                  • GetLastError.KERNEL32 ref: 00414641
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuerylstrcatlstrcmplstrcpy
                  • String ID: ?
                  • API String ID: 1756451316-1684325040
                  • Opcode ID: 869de8c0f6b6c052ca7256d94f29aceed04532e0509162e956ddf41a741eb0f5
                  • Instruction ID: c30ebbe14cfefa4166e81c7ddb843457e38c02827eab3581fc0647f02b26dd89
                  • Opcode Fuzzy Hash: 869de8c0f6b6c052ca7256d94f29aceed04532e0509162e956ddf41a741eb0f5
                  • Instruction Fuzzy Hash: 40519275D00219ABCF209FA4DC48AEEB7B9EF59304F1045A6E609D3290E7749EC1CB59
                  Function 00443496 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 004434DA
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004426EF
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442701
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442713
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442725
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442737
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442749
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 0044275B
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 0044276D
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 0044277F
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 00442791
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004427A3
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004427B5
                    • Part of subcall function 004426D2: _free.LIBCMT ref: 004427C7
                  • _free.LIBCMT ref: 004434CF
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 004434F1
                  • _free.LIBCMT ref: 00443506
                  • _free.LIBCMT ref: 00443511
                  • _free.LIBCMT ref: 00443533
                  • _free.LIBCMT ref: 00443546
                  • _free.LIBCMT ref: 00443554
                  • _free.LIBCMT ref: 0044355F
                  • _free.LIBCMT ref: 00443597
                  • _free.LIBCMT ref: 0044359E
                  • _free.LIBCMT ref: 004435BB
                  • _free.LIBCMT ref: 004435D3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID: xAF
                  • API String ID: 161543041-3548281371
                  • Opcode ID: a4f159e0e9c024440b84150d2bdb78644e89f50e34608afc83fb179a3a5121b9
                  • Instruction ID: 92db8032b0720874402903e40b9fb06c435e77b18e2188d4bbe0c893ea4b2b00
                  • Opcode Fuzzy Hash: a4f159e0e9c024440b84150d2bdb78644e89f50e34608afc83fb179a3a5121b9
                  • Instruction Fuzzy Hash: 60315B71600201AFFB21AE3AD846B9B77F8EF44765F10441FE269D7251DB39EE808B58
                  Function 004427D0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: pAF
                  • API String ID: 269201875-3714919331
                  • Opcode ID: 0b5147b3abe51b3ca7e10458fe03aa452a0dc9938cf48847196365733bd2fbca
                  • Instruction ID: 8dededbd5becb74d53d2a95e16b98ad866d25175fdaf3316945a8a0ee90ca501
                  • Opcode Fuzzy Hash: 0b5147b3abe51b3ca7e10458fe03aa452a0dc9938cf48847196365733bd2fbca
                  • Instruction Fuzzy Hash: BBC14475D40204ABEB20DBA9CD43FEE77F8EB49714F54015AFA04FB282D6B8994187A4
                  Function 0043B1E5 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$Info
                  • String ID:
                  • API String ID: 2509303402-0
                  • Opcode ID: 2cbd61164feb8f31ea708ba1c3ec9c9b80fbebdb348a20e61bf8b077109d67d2
                  • Instruction ID: d45b0b2e4fbb5bd969bb37fcfd0237086f40b43bc18fc14bf27d4f7790022adf
                  • Opcode Fuzzy Hash: 2cbd61164feb8f31ea708ba1c3ec9c9b80fbebdb348a20e61bf8b077109d67d2
                  • Instruction Fuzzy Hash: 35B19F71900205AEDB119F69C881BEEBBF8FF0C304F14516EEA95A7342D77999418BA8
                  Function 00406046 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 329fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406180
                  • GetFileSizeEx.KERNEL32(00000000,?), ref: 004061B6
                  • __aulldiv.LIBCMT ref: 004061E0
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000), ref: 004062E6
                  • ReadFile.KERNEL32(?,00000000,000186A0,?,00000000), ref: 00406301
                  • CloseHandle.KERNEL32(?), ref: 004063C4
                  • CloseHandle.KERNEL32(?), ref: 00406400
                  • CloseHandle.KERNEL32(?), ref: 0040644F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                  • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $X|F
                  • API String ID: 3086580692-2448825271
                  • Opcode ID: 234f46f0e51a69f685230f3404a689933db99e5cd62fe8fc99fb9305bb62bee7
                  • Instruction ID: bea1a2075f6bf4ac8efb432577deb3b1b0a73dcb4665b62bfdfcd592466e9e2e
                  • Opcode Fuzzy Hash: 234f46f0e51a69f685230f3404a689933db99e5cd62fe8fc99fb9305bb62bee7
                  • Instruction Fuzzy Hash: D3B1BA31E00118ABCB08FBA5D9929EEB7B5AF44314F10812FF906772D1EF785E458B99
                  Function 00442BF5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 204COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: <VF$<VF$@VF$pAF$tAF
                  • API String ID: 269201875-3149002956
                  • Opcode ID: 6ba1943d00136b9477be9fb8f075363001e3410eaec9203114703f58f8559963
                  • Instruction ID: 1ff29a68be44b64efb4402e980a49073e15b5af391af27e56c8b58b9c5c5d352
                  • Opcode Fuzzy Hash: 6ba1943d00136b9477be9fb8f075363001e3410eaec9203114703f58f8559963
                  • Instruction Fuzzy Hash: AF61D571D00205AFEB20DF69C942B9ABBF4EF45720F50416BF954EB241E7B49D418B98
                  Function 00408DE1 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D18B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00467F30), ref: 0040D1A7
                    • Part of subcall function 0040D18B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 0040D1C0
                    • Part of subcall function 0040D18B: RegCloseKey.ADVAPI32(00000000), ref: 0040D1CB
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 00408E36
                  • ShellExecuteW.SHELL32(00000000,open,00000000,0045962C,0045962C,00000000), ref: 00408F95
                  • ExitProcess.KERNEL32 ref: 00408FA1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseExecuteExitFileModuleNameOpenProcessQueryShellValue
                  • String ID: """, 0$.vbs$0-Z$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                  • API String ID: 2135335499-567823180
                  • Opcode ID: f901e2d043e8d204b1c9408a99933f1f47392063888bb27a2476831dde7d4a4c
                  • Instruction ID: 55b6c44869765462ce5e00c325246dd343a9294273c7abbd33844619ebd27e2b
                  • Opcode Fuzzy Hash: f901e2d043e8d204b1c9408a99933f1f47392063888bb27a2476831dde7d4a4c
                  • Instruction Fuzzy Hash: 86413A31900118AADB09FB61DC56DEE7729AF50305F14417FF506B70D2EE7C6E4ACA58
                  Function 0040900F Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 138COMMON
                  Download Yara Rule
                  APIs
                  • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040915E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: LongNamePath
                  • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                  • API String ID: 82841172-425784914
                  • Opcode ID: fd396b2d4feb2073e271fc861ddaecf4abb2023261153f9ee186aaa4ac6e7966
                  • Instruction ID: ea893111990a9468f4124166bdf4f4bc63fff47cfd0576253bcacca366c7345f
                  • Opcode Fuzzy Hash: fd396b2d4feb2073e271fc861ddaecf4abb2023261153f9ee186aaa4ac6e7966
                  • Instruction Fuzzy Hash: E6410E31901105AADB09FBA2ED578EE77789E24319B20413FB912761E3EF7C2F0D8659
                  Function 004032EE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • SetEvent.KERNEL32(?,?), ref: 0040330D
                  • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004033BD
                  • TranslateMessage.USER32(?), ref: 004033CC
                  • DispatchMessageA.USER32(?), ref: 004033D7
                  • HeapCreate.KERNEL32(00000000,00000000,00000000), ref: 0040348F
                  • HeapFree.KERNEL32(00000000,00000000,?), ref: 004034C7
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                  • String ID: CloseChat$DisplayMessage$GetMessage
                  • API String ID: 2956720200-749203953
                  • Opcode ID: c2d6146e2c7cd29e95e1fb93eb0c4c5e4259636daa948a59db1d5b7d4d7413af
                  • Instruction ID: c4fabbcbd06e4aea07cac65f4be45b80aa5bf073acc6ad1f74fa4fa4731dbfc7
                  • Opcode Fuzzy Hash: c2d6146e2c7cd29e95e1fb93eb0c4c5e4259636daa948a59db1d5b7d4d7413af
                  • Instruction Fuzzy Hash: CC41C4326043009BCB00BF76DD9A86F7BA9AB85704F00053EF906A71D1EE7CDA09C75A
                  Function 004131E2 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00412B9E,00000000), ref: 004131F1
                  • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00412B9E,00000000), ref: 00413208
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412B9E,00000000), ref: 00413215
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412B9E,00000000), ref: 00413224
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412B9E,00000000), ref: 00413235
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412B9E,00000000), ref: 00413238
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: a735b932353fbfae41dc522d640d0e0449f4c83599ff4557b0c4dc0a78a6ea00
                  • Instruction ID: ae9598d82f6d429b4cf8f2c9fd722e72ee621a44a1d031857c481a514433e705
                  • Opcode Fuzzy Hash: a735b932353fbfae41dc522d640d0e0449f4c83599ff4557b0c4dc0a78a6ea00
                  • Instruction Fuzzy Hash: 4311C275D41218ABD7106F65AC89DFF7B2CDB4A36AB000066F90593140DB388D47AAB9
                  Function 0043C510 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 0043C524
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 0043C530
                  • _free.LIBCMT ref: 0043C53B
                  • _free.LIBCMT ref: 0043C546
                  • _free.LIBCMT ref: 0043C551
                  • _free.LIBCMT ref: 0043C55C
                  • _free.LIBCMT ref: 0043C567
                  • _free.LIBCMT ref: 0043C572
                  • _free.LIBCMT ref: 0043C57D
                  • _free.LIBCMT ref: 0043C58B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 3da48a6ce269c97f3ef4d21a8d8036b2a7361a1831b3352f502914f45603e971
                  • Instruction ID: 1cebc71dc2f67862d3e13b1818bde38924e8bb604e876a6b753946dc8a858eb3
                  • Opcode Fuzzy Hash: 3da48a6ce269c97f3ef4d21a8d8036b2a7361a1831b3352f502914f45603e971
                  • Instruction Fuzzy Hash: AF11B9B6510108BFDB11EF59C842DDD3BB9EF48364F4150AABB188F222DB35DE509B88
                  Function 0040E5BB Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 65535$udp
                  • API String ID: 0-1267037602
                  • Opcode ID: 294e5188d84f63982fac9725afcfcd6b69464ebbb7ea8a39a57d8f816ffa08d2
                  • Instruction ID: 49d50f31532c904576114a46d556afe4d15bd6e05c959a6d923d4506dbea0b6a
                  • Opcode Fuzzy Hash: 294e5188d84f63982fac9725afcfcd6b69464ebbb7ea8a39a57d8f816ffa08d2
                  • Instruction Fuzzy Hash: ED51E235600205ABDB248F2AD809BBB3764EB41340F088C7BEC41A73D1E73ECD619A69
                  Function 00410870 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409474: char_traits.LIBCPMT ref: 00409484
                  • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004108D0
                    • Part of subcall function 00414995: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149B2
                  • Sleep.KERNEL32(00000064), ref: 004108FC
                  • DeleteFileW.KERNEL32(00000000), ref: 0041092C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreateDeleteExecuteShellSleepchar_traits
                  • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                  • API String ID: 2701014334-2001430897
                  • Opcode ID: 5322e8377441615cfe43036d095e99c03694ce4edc005fe3e5cbd432f67369b1
                  • Instruction ID: 649befc1bdbc967cf37dcd0602f11568b2954d481243b05d7a8e013ad2fb5259
                  • Opcode Fuzzy Hash: 5322e8377441615cfe43036d095e99c03694ce4edc005fe3e5cbd432f67369b1
                  • Instruction Fuzzy Hash: A1316F719101189ADB08FBA1DC92EEE7724AF10304F40017FF506770D2EE785E8ACA58
                  Function 0040BD3E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040BD4B
                  • int.LIBCPMT ref: 0040BD5E
                    • Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
                    • Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F
                  • std::locale::_Getfacet.LIBCPMT ref: 0040BD67
                  • std::_Facet_Register.LIBCPMT ref: 0040BD9E
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040BDA7
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040BDC5
                  • __Init_thread_footer.LIBCMT ref: 0040BE06
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetInit_thread_footerRegisterThrowstd::locale::_
                  • String ID: QF
                  • API String ID: 2409581025-4212332354
                  • Opcode ID: e2264b22f1d783c7bcc0a0d2506abdff25276be16bd236ad74a987be273730e3
                  • Instruction ID: 09e96e7057cbc55d3f4a205848f92d87d3c0cf58768ad79e84684d0470a9d74a
                  • Opcode Fuzzy Hash: e2264b22f1d783c7bcc0a0d2506abdff25276be16bd236ad74a987be273730e3
                  • Instruction Fuzzy Hash: FD210432A006249BCB04EB69E9419DE7768DF44724B60417FF404B73D2EBB89D018BDD
                  Function 0044047C Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6ebcd19dd8ea4aaa66f822712df9da184658bb392bc63acd6694766bb71bde39
                  • Instruction ID: af0672775ae0156a28360151f1c3b7a31f31081405023bcfc625b595f62d43bb
                  • Opcode Fuzzy Hash: 6ebcd19dd8ea4aaa66f822712df9da184658bb392bc63acd6694766bb71bde39
                  • Instruction Fuzzy Hash: 9AC1E970D042459FEF11DFA8D841BAEBBB0BF49310F14409BEA14A7392D7789951CF6A
                  Function 004470B5 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                  Download Yara Rule
                  APIs
                  • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044738E,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00447161
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 004471E4
                  • __alloca_probe_16.LIBCMT ref: 0044721C
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044738E,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 00447277
                  • __alloca_probe_16.LIBCMT ref: 004472C6
                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044728E
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044738E,00000000,00000000,?,00000001,?,?,?,?), ref: 0044730A
                  • __freea.LIBCMT ref: 00447335
                  • __freea.LIBCMT ref: 00447341
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                  • String ID:
                  • API String ID: 201697637-0
                  • Opcode ID: fa2af291714716c827d99f9792f2db6a916c2868c8cb06fdb154a1010fbb4181
                  • Instruction ID: 12d0403d258b220dcc3b0481ec1b61b5071a14faeeee8fdcc8ea0df3d1fe83d2
                  • Opcode Fuzzy Hash: fa2af291714716c827d99f9792f2db6a916c2868c8cb06fdb154a1010fbb4181
                  • Instruction Fuzzy Hash: A891C371E082169AFB248E65CC81EEFBBB5AF09714F18455BED00E7341DB28DC42C7A9
                  Function 0043A834 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043C604: GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                    • Part of subcall function 0043C604: _free.LIBCMT ref: 0043C63B
                    • Part of subcall function 0043C604: SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                    • Part of subcall function 0043C604: _abort.LIBCMT ref: 0043C682
                  • _memcmp.LIBVCRUNTIME ref: 0043AADE
                  • _free.LIBCMT ref: 0043AB4F
                  • _free.LIBCMT ref: 0043AB68
                  • _free.LIBCMT ref: 0043AB9A
                  • _free.LIBCMT ref: 0043ABA3
                  • _free.LIBCMT ref: 0043ABAF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorLast$_abort_memcmp
                  • String ID: C
                  • API String ID: 1679612858-1037565863
                  • Opcode ID: c21c5b9015e533256efbda0bb32b5a4d6ec8f40b43f474bf37c10997b8c74c41
                  • Instruction ID: 0c4d8b62e11b48f220935ba042654483d693afbfc79999ee0a582e562d63e247
                  • Opcode Fuzzy Hash: c21c5b9015e533256efbda0bb32b5a4d6ec8f40b43f474bf37c10997b8c74c41
                  • Instruction Fuzzy Hash: 42B13775A012199FDB24DF18C885BAEB7B5FF48304F1085AEE949A7350E738AE90CF45
                  Function 0040E33B Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: tcp$udp
                  • API String ID: 0-3725065008
                  • Opcode ID: a5d8df89a668cbce1b951fa4099479226ad52a16bf42fdbcbcf2d451977e4a1a
                  • Instruction ID: e41cde888cb84cab5534ebd0c22eadc40ae511836058fd877fedfdbdda4abd49
                  • Opcode Fuzzy Hash: a5d8df89a668cbce1b951fa4099479226ad52a16bf42fdbcbcf2d451977e4a1a
                  • Instruction Fuzzy Hash: 62816E70A0021AEBDF248F96C98566A7BB1EF04305F14887BE805B73D0E778CD61DB99
                  Function 00414A29 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 212registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00414A4B
                  • RegEnumKeyExA.ADVAPI32(?,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00414CFF
                  • RegCloseKey.ADVAPI32(?), ref: 00414D13
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00414A3F
                  • DisplayName, xrefs: 00414ABF
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumOpen
                  • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                  • API String ID: 1332880857-3614651759
                  • Opcode ID: 102c754f6db2c918d87e9fad86f8a8ffa0097f2d352cec0743043ea34be09aea
                  • Instruction ID: 43297fea3dedd97e28625b6416bcccf0ab8070b56c23e27658d4eba5031ed536
                  • Opcode Fuzzy Hash: 102c754f6db2c918d87e9fad86f8a8ffa0097f2d352cec0743043ea34be09aea
                  • Instruction Fuzzy Hash: DB8150719000189FDB19EB61DC52AEEB778AF54305F2041BFB50AB7191EF386F4ACA58
                  Function 004110EE Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041133B: __EH_prolog.LIBCMT ref: 00411340
                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004111EB
                  • CloseHandle.KERNEL32(00000000), ref: 004111F4
                  • DeleteFileA.KERNEL32(00000000), ref: 00411203
                  • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004111B7
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                  • String ID: <$@$Temp
                  • API String ID: 1704390241-1032778388
                  • Opcode ID: 2364f98d2105d1c9f75bdf3f5f64019ca18ef37328902b5832c135fa4703618f
                  • Instruction ID: ad04bf931f7867cc53fbebc0e8fffc18bd5d028930098c656fedf11ecfda1b99
                  • Opcode Fuzzy Hash: 2364f98d2105d1c9f75bdf3f5f64019ca18ef37328902b5832c135fa4703618f
                  • Instruction Fuzzy Hash: 9B41B431A002099BDB15FB61DD5AAEE7734AF10305F40417EF606760E2EF781E89CB99
                  Function 00404E08 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 106fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406B5E: char_traits.LIBCPMT ref: 00406B79
                  • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000), ref: 00404E61
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00404EA9
                  • CloseHandle.KERNEL32(00000000), ref: 00404EE3
                  • MoveFileW.KERNEL32(00000000,00000000), ref: 00404EFB
                  • CloseHandle.KERNEL32(?), ref: 00404F1F
                  • DeleteFileW.KERNEL32(00000000), ref: 00404F2E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateDeleteMoveWritechar_traits
                  • String ID: .part
                  • API String ID: 820096542-3499674018
                  • Opcode ID: 82eaa74071aecc03f03f41c7058cc80d71f3295a554235d2acfe12381442790a
                  • Instruction ID: 5c36687aa40538048aa4780b78d7a9adf0fa4287d792cb94eb1ee9f5321ee973
                  • Opcode Fuzzy Hash: 82eaa74071aecc03f03f41c7058cc80d71f3295a554235d2acfe12381442790a
                  • Instruction Fuzzy Hash: 5C315CB5D00219ABDB04EFA5DD468EEB778FB84311F10857AFA01B3190DB746E48CB98
                  Function 0041317B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00412D30,00000000), ref: 0041318A
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00412D30,00000000), ref: 0041319E
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D30,00000000), ref: 004131AB
                  • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00412D30,00000000), ref: 004131BA
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D30,00000000), ref: 004131CC
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412D30,00000000), ref: 004131CF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID: 0-A
                  • API String ID: 221034970-4208662379
                  • Opcode ID: 26c269b2b5b415636ec90b355a214fbc3be7e10cc918407cc0eb80d971509374
                  • Instruction ID: 4190613ea1f760789cbad35551d2ce1ddae63fac486eef5c4cb23c6bf5310e8a
                  • Opcode Fuzzy Hash: 26c269b2b5b415636ec90b355a214fbc3be7e10cc918407cc0eb80d971509374
                  • Instruction Fuzzy Hash: FEF0F635A012187FD2106F259C89EBF7B6CDB86365F000076FD0593141DF289E4795B9
                  Function 004132E6 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412C3A,00000000), ref: 004132F5
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412C3A,00000000), ref: 00413309
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C3A,00000000), ref: 00413316
                  • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00412C3A,00000000), ref: 00413325
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C3A,00000000), ref: 00413337
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412C3A,00000000), ref: 0041333A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID: :,A
                  • API String ID: 221034970-3998721020
                  • Opcode ID: 7290b1de14312650045ba83e55dcc57750f0edd5e6043cc5f61598c88f1327a8
                  • Instruction ID: 15d15653b68353dd679e809e6ec4728b72dbc48d278b86db564465cb233afa91
                  • Opcode Fuzzy Hash: 7290b1de14312650045ba83e55dcc57750f0edd5e6043cc5f61598c88f1327a8
                  • Instruction Fuzzy Hash: 75F0F6759012187BD2116F25AC49EBF3B6CDB86265F00006AFE0997141DF38CE4795BD
                  Function 0043CC07 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00436E4A,00436E4A,?,?,?,0043CE58,00000001,00000001,23E85006), ref: 0043CC61
                  • __alloca_probe_16.LIBCMT ref: 0043CC99
                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0043CE58,00000001,00000001,23E85006,?,?,?), ref: 0043CCE7
                  • __alloca_probe_16.LIBCMT ref: 0043CD7E
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043CDE1
                  • __freea.LIBCMT ref: 0043CDEE
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • __freea.LIBCMT ref: 0043CDF7
                  • __freea.LIBCMT ref: 0043CE1C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                  • String ID:
                  • API String ID: 3864826663-0
                  • Opcode ID: aa72fb37263ec7774e26f631fb98f19815b435717cb4ad8385503ed5a82bf28c
                  • Instruction ID: 0912c9ce66cd9b2932528824e70a82a690157903a232b8cd9281ba3b8db62955
                  • Opcode Fuzzy Hash: aa72fb37263ec7774e26f631fb98f19815b435717cb4ad8385503ed5a82bf28c
                  • Instruction Fuzzy Hash: 3151B472A00216ABDB258F64CC81EAB7BAAEB48754F15563AF905F6240DB38DC50C758
                  Function 00412844 Relevance: 12.1, APIs: 8, Instructions: 101keyboardCOMMON
                  Download Yara Rule
                  APIs
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000), ref: 00412878
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 00412896
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004128B3
                  • SendInput.USER32(00000001,00000001,0000001C,00000000,00000000,00000000), ref: 004128C5
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 004128DC
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 004128F9
                  • SendInput.USER32(00000001,00000001,0000001C), ref: 00412915
                  • SendInput.USER32(00000001,?,0000001C,?), ref: 00412932
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: InputSend
                  • String ID:
                  • API String ID: 3431551938-0
                  • Opcode ID: 587c2c9c09c8a70936073821a9182f181da1d14b611035e4b063ad142e6f8d31
                  • Instruction ID: b65633c945fab3acf205a051b09c2427f02832200925faa26f4ab4285d26be98
                  • Opcode Fuzzy Hash: 587c2c9c09c8a70936073821a9182f181da1d14b611035e4b063ad142e6f8d31
                  • Instruction Fuzzy Hash: 2C313071D5025DA9FB109BD5CC46FFFBB78AF18714F04000AE600AA1C2D6E995858BE5
                  Function 0040C3EC Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 152COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event
                  • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                  • API String ID: 4201588131-168337528
                  • Opcode ID: 74a6e9d38416634356b6872006514cb5c36970034d5b4ab2db1b6ccd0ce19543
                  • Instruction ID: c92056b20dc9bf3fae846537b07ab36f7947da9daa6e81f239864184b9ec0149
                  • Opcode Fuzzy Hash: 74a6e9d38416634356b6872006514cb5c36970034d5b4ab2db1b6ccd0ce19543
                  • Instruction Fuzzy Hash: C7419231A143109BC604BB35CD5AA6E3A95AB41714F40463FF905B72D2EFBC9909C78E
                  Function 0043DC70 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0043E3E5,0044A1A5,00000000,00000000,00000000,00000000,00000000), ref: 0043DCB2
                  • __fassign.LIBCMT ref: 0043DD2D
                  • __fassign.LIBCMT ref: 0043DD48
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0043DD6E
                  • WriteFile.KERNEL32(?,00000000,00000000,0043E3E5,00000000,?,?,?,?,?,?,?,?,?,0043E3E5,0044A1A5), ref: 0043DD8D
                  • WriteFile.KERNEL32(?,0044A1A5,00000001,0043E3E5,00000000,?,?,?,?,?,?,?,?,?,0043E3E5,0044A1A5), ref: 0043DDC6
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: b0842eb0f3a19637c26f20ab8a3a0f438c03f7ac224a8ecb38f271b88ece1a51
                  • Instruction ID: f9ff8145c7802d69b68e0807d832188e1e7334bcf18ca1b04f1e67c0e13b88ac
                  • Opcode Fuzzy Hash: b0842eb0f3a19637c26f20ab8a3a0f438c03f7ac224a8ecb38f271b88ece1a51
                  • Instruction Fuzzy Hash: 4851BFB1E00609AFCB10CFA8E881AEEBBB5FF0D300F14456AE551E7291E7749951CB69
                  Function 004083D5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D033: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 0040D057
                    • Part of subcall function 0040D033: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 0040D074
                    • Part of subcall function 0040D033: RegCloseKey.KERNELBASE(?), ref: 0040D07F
                  • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 00408457
                  • PathFileExistsA.SHLWAPI(?), ref: 00408464
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                  • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                  • API String ID: 1133728706-4073444585
                  • Opcode ID: 07ec844a35af1eab60777bde60706366a64d5fec3982bd01d4ac9b07599154bc
                  • Instruction ID: d4c107e0a2a60d174b8eb14a8049b3fa6967e586068c38da7eb9b938dd98d54a
                  • Opcode Fuzzy Hash: 07ec844a35af1eab60777bde60706366a64d5fec3982bd01d4ac9b07599154bc
                  • Instruction Fuzzy Hash: 4821A571A0021596CB04FBB1CE5BDEE77289F55308F84003FBA41772C2EE7C5949C699
                  Function 0044A01D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f8d67d838cba7ae6643fc231b92a3ea0e4a27433a772fcaf6ae334517963e3ec
                  • Instruction ID: d4fb6aa5a6f4f3f6f26ae499fe221ed113336c66fb169326c0f6f0770eed75ad
                  • Opcode Fuzzy Hash: f8d67d838cba7ae6643fc231b92a3ea0e4a27433a772fcaf6ae334517963e3ec
                  • Instruction Fuzzy Hash: 49115732504114BBEB206F769C0596B7A6CEFCA774F10065AF825D3291DA3CC8009269
                  Function 00413A15 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70networkfileCOMMON
                  Download Yara Rule
                  APIs
                  • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00413A3D
                  • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00413A54
                  • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00413A6B
                  • InternetCloseHandle.WININET(00000000), ref: 00413AAB
                  • InternetCloseHandle.WININET(?), ref: 00413AB0
                  Strings
                  • http://geoplugin.net/json.gp, xrefs: 00413A4B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleOpen$FileRead
                  • String ID: http://geoplugin.net/json.gp
                  • API String ID: 3121278467-91888290
                  • Opcode ID: 1d35924211fd6d3ca7fd81e902c68168a7243ae8d72f4add1dc609e780773222
                  • Instruction ID: 0c70c8ff12340d49335c6931f1b45108ae4ea8819ebf5f5e342574acd6559fd7
                  • Opcode Fuzzy Hash: 1d35924211fd6d3ca7fd81e902c68168a7243ae8d72f4add1dc609e780773222
                  • Instruction Fuzzy Hash: 73119335901214BBCB24ABA69D49DEF7FBCDF06764F20007EF905B2281DA785E40C6A5
                  Function 004430CA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00442E11: _free.LIBCMT ref: 00442E3A
                  • _free.LIBCMT ref: 00443118
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 00443123
                  • _free.LIBCMT ref: 0044312E
                  • _free.LIBCMT ref: 00443182
                  • _free.LIBCMT ref: 0044318D
                  • _free.LIBCMT ref: 00443198
                  • _free.LIBCMT ref: 004431A3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: a8cd47d3cfa0aed6907b9f5707d3247d80cbe860e9efca63a93b6f0d316e7495
                  • Instruction ID: 514b17becd18eddbe0435b57e08186c78f646e4a9e344aa64bfce05e92a373ce
                  • Opcode Fuzzy Hash: a8cd47d3cfa0aed6907b9f5707d3247d80cbe860e9efca63a93b6f0d316e7495
                  • Instruction Fuzzy Hash: C2115E31540704AAE620B7B2CD07FDB77AC9F04705F80082EB7996A053D7BAA5144654
                  Function 00431C95 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,00431C8C,0042EED4), ref: 00431CA3
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00431CB1
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00431CCA
                  • SetLastError.KERNEL32(00000000,?,00431C8C,0042EED4), ref: 00431D1C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: d95248e79e9614f468323e3478d543c470c5e6b9e0e37615c035713204aef643
                  • Instruction ID: 2c398e4a0ffb902d7d0625a3abf4894a61d5cdd8f58e9f020c870dbfa0318f37
                  • Opcode Fuzzy Hash: d95248e79e9614f468323e3478d543c470c5e6b9e0e37615c035713204aef643
                  • Instruction Fuzzy Hash: 4701D83220D2315EEB1417B67C85A672765EB8A379F30223FF624451F1EF994C01A14D
                  Function 0043C688 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(C:\Users\user\Desktop\SXQdCnmxiH.exe,00000000,00000000,00432251,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000,?,00467F30), ref: 0043C68D
                  • _free.LIBCMT ref: 0043C6C2
                  • _free.LIBCMT ref: 0043C6E9
                  • SetLastError.KERNEL32(00000000), ref: 0043C6F6
                  • SetLastError.KERNEL32(00000000), ref: 0043C6FF
                  Strings
                  • C:\Users\user\Desktop\SXQdCnmxiH.exe, xrefs: 0043C68C
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID: C:\Users\user\Desktop\SXQdCnmxiH.exe
                  • API String ID: 3170660625-347963224
                  • Opcode ID: ce95754dfb230c17aea5217a948b11656378896c81104db7b960cfcb3f4f63c4
                  • Instruction ID: 34688c5844deaaeeec10bcaec9d50f835338e08310b160136632a4be31570924
                  • Opcode Fuzzy Hash: ce95754dfb230c17aea5217a948b11656378896c81104db7b960cfcb3f4f63c4
                  • Instruction Fuzzy Hash: 1501F97664070127D21127766CCBD6B266DABDE379F20302BF915B2292FFACCC02426D
                  Function 00407F4F Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 00407F8B
                  • GetLastError.KERNEL32 ref: 00407F95
                  Strings
                  • [Chrome Cookies not found], xrefs: 00407FAF
                  • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 00407F56
                  • [Chrome Cookies found, cleared!], xrefs: 00407FBB
                  • UserProfile, xrefs: 00407F5B
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteErrorFileLast
                  • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                  • API String ID: 2018770650-304995407
                  • Opcode ID: 7c10d4d9d26ab4ea89e017dda8363944b3ac029fca86a6095bd209b9c10ae5af
                  • Instruction ID: 36b5ec7ebb08f88df80414dce8d663d215cea798eb143d3842aa7d4b43224e9c
                  • Opcode Fuzzy Hash: 7c10d4d9d26ab4ea89e017dda8363944b3ac029fca86a6095bd209b9c10ae5af
                  • Instruction Fuzzy Hash: B101F231A90106AACA047B75CE1B8AE7B24A912704B50013FE902731D2FD795909C29F
                  Function 0043AD88 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: __cftoe
                  • String ID:
                  • API String ID: 4189289331-0
                  • Opcode ID: 5f28df8446c64383e0fb99689a724a51342c162445d8cc4573d67065744f944e
                  • Instruction ID: d6fa3fd3494dd5afb9895fef6f42023dfbfc37a7ed478dd002862769998016d6
                  • Opcode Fuzzy Hash: 5f28df8446c64383e0fb99689a724a51342c162445d8cc4573d67065744f944e
                  • Instruction Fuzzy Hash: AB513D72980205ABDB249B59CC46FAF77A9EF4C334F24511FF46496282DB3CDD20866E
                  Function 0041334D Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00412AAC,00000000), ref: 0041335D
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00412AAC,00000000), ref: 00413371
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AAC,00000000), ref: 0041337E
                  • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00412AAC,00000000), ref: 004133B3
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AAC,00000000), ref: 004133C5
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00412AAC,00000000), ref: 004133C8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ChangeConfigManager
                  • String ID:
                  • API String ID: 493672254-0
                  • Opcode ID: f60e354ca2734c3379f2a6acb23284ac257847baf88861f2f9be3148c85afd4d
                  • Instruction ID: 959de3c3bf8d9ae695044ebb566e596cbf9f8d07e58be1ed1af2b16a345cf1d1
                  • Opcode Fuzzy Hash: f60e354ca2734c3379f2a6acb23284ac257847baf88861f2f9be3148c85afd4d
                  • Instruction Fuzzy Hash: 8A0126315451187AE3100F299C0EEBB3A1CDB42372F00036BFA35932C0DE688E46956D
                  Function 0043F12C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: __alldvrm$_strrchr
                  • String ID: h^C
                  • API String ID: 1036877536-1919427450
                  • Opcode ID: 99551d99d789d1ca47556baa7f2ff8747541ea2f48037bd72a7d33b1b1679a7a
                  • Instruction ID: f620496ad163df25df2412e30276aa4f29c064a19c3155cfd93c0ae27050d73d
                  • Opcode Fuzzy Hash: 99551d99d789d1ca47556baa7f2ff8747541ea2f48037bd72a7d33b1b1679a7a
                  • Instruction Fuzzy Hash: E2A14876D002869FEB11CE58C8517AFBBA1EF69314F1441BFE8949B381C23C8D4AC759
                  Function 0040C032 Relevance: 9.1, APIs: 6, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040C03F
                  • int.LIBCPMT ref: 0040C052
                    • Part of subcall function 00409864: std::_Lockit::_Lockit.LIBCPMT ref: 00409875
                    • Part of subcall function 00409864: std::_Lockit::~_Lockit.LIBCPMT ref: 0040988F
                  • std::locale::_Getfacet.LIBCPMT ref: 0040C05B
                  • std::_Facet_Register.LIBCPMT ref: 0040C092
                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0040C09B
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040C0B9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
                  • String ID:
                  • API String ID: 2243866535-0
                  • Opcode ID: e293553077d95529c3f6ea8edd9ad7722701d123e02e8ef06f56877080a85670
                  • Instruction ID: b1e87804a3da1979fd3ed1427e76ffb0bbb4b318f8e10319d424f090478dbc6a
                  • Opcode Fuzzy Hash: e293553077d95529c3f6ea8edd9ad7722701d123e02e8ef06f56877080a85670
                  • Instruction Fuzzy Hash: 5F012632A00218D7CB14EBA5D8818DE776C9F41714F60426FF405B72D1EBB89E05C789
                  Function 0043C604 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,00000000,0043783C,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C608
                  • _free.LIBCMT ref: 0043C63B
                  • _free.LIBCMT ref: 0043C663
                  • SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C670
                  • SetLastError.KERNEL32(00000000,?,00413F44,-004697EC,?,?,?,?,?,004088E8,.vbs), ref: 0043C67C
                  • _abort.LIBCMT ref: 0043C682
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: e2941afc180c402d96ae15d3b4ea7baeb11baaa35d5f76cb1be1e232cc70365a
                  • Instruction ID: 3be8201feea6bf6bb5de18f8a738b530b1a6a28b783f59b30d90beda1ae83eb3
                  • Opcode Fuzzy Hash: e2941afc180c402d96ae15d3b4ea7baeb11baaa35d5f76cb1be1e232cc70365a
                  • Instruction Fuzzy Hash: E1F0A975A4060026D6112735AC8BF5B37699BDB779F24342FF924B2391EF6CC802429E
                  Function 0041327F Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                  Download Yara Rule
                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00412CB5,00000000), ref: 0041328E
                  • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00412CB5,00000000), ref: 004132A2
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412CB5,00000000), ref: 004132AF
                  • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00412CB5,00000000), ref: 004132BE
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412CB5,00000000), ref: 004132D0
                  • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00412CB5,00000000), ref: 004132D3
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandle$Open$ControlManager
                  • String ID:
                  • API String ID: 221034970-0
                  • Opcode ID: 68959f6d476b02a2d4bd0685734bbe45e7fe8639f39039e1a591674eaa023496
                  • Instruction ID: 087c9ab69ee31a6f8daf18e3e04703c1a612111ee6bc2c946994c72f918a64da
                  • Opcode Fuzzy Hash: 68959f6d476b02a2d4bd0685734bbe45e7fe8639f39039e1a591674eaa023496
                  • Instruction Fuzzy Hash: AEF0F6759012187BD2107F259C4AEBF3B6CDF86365F00006AFE0993141DF389D4795B9
                  Function 004382C1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: `1E
                  • API String ID: 0-2004721823
                  • Opcode ID: 0e0fe858824e10f649b933378dfe4155e1adb50c97024238f48701cb155f15ad
                  • Instruction ID: 2b4cc18daa85f4ffdc1879148ab6e5cf02e60df96b600b3f13a9bbe2c431b9f6
                  • Opcode Fuzzy Hash: 0e0fe858824e10f649b933378dfe4155e1adb50c97024238f48701cb155f15ad
                  • Instruction Fuzzy Hash: 1B411871A00704AFE7249F78CC41BABFBA4EB8C714F10956FF551DB781DA7AA9018788
                  Function 00438AF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SXQdCnmxiH.exe,00000104), ref: 00438B30
                  • _free.LIBCMT ref: 00438BFB
                  • _free.LIBCMT ref: 00438C05
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Users\user\Desktop\SXQdCnmxiH.exe$`&Y
                  • API String ID: 2506810119-2366589577
                  • Opcode ID: 7f57eaab2729b4cc0946ac209535d878f2c68db1228286d325ae82aa6d241096
                  • Instruction ID: 70664c5bde541978665effa2530710d226aabc141cdd11ee7943148819d16b35
                  • Opcode Fuzzy Hash: 7f57eaab2729b4cc0946ac209535d878f2c68db1228286d325ae82aa6d241096
                  • Instruction Fuzzy Hash: FE31A2B1A01349EBDB21DB99988199FFBBCEB89314F1050AFF50497310DA785E448B99
                  Function 0040D2A7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0040D2B6
                  • RegSetValueExW.ADVAPI32(?,pth_unenc,00000000,00000001,00000000,00000000,00467F30,?,?,0040A737,?,C:\Users\user\Desktop\SXQdCnmxiH.exe), ref: 0040D2E6
                  • RegCloseKey.ADVAPI32(?,?,?,0040A737,?,C:\Users\user\Desktop\SXQdCnmxiH.exe), ref: 0040D2F1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue
                  • String ID: 5.0.0 Light$pth_unenc
                  • API String ID: 1818849710-2723400672
                  • Opcode ID: dcd796d3a80aaa852048ad7e6e15e5f030d87b7b49a9196caa6b4c3fd4bdc3fd
                  • Instruction ID: 7eee0f012153a7c6d52e4884b7171e92e4526d01c1b8fc011fff58cca42e9c8a
                  • Opcode Fuzzy Hash: dcd796d3a80aaa852048ad7e6e15e5f030d87b7b49a9196caa6b4c3fd4bdc3fd
                  • Instruction Fuzzy Hash: 8AF0F071940218BBDB00EFA0EE4AFEE372CEF41745F10417AFE05AB090EA359E08DA54
                  Function 00409743 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • std::_Lockit::_Lockit.LIBCPMT ref: 0040974E
                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040978D
                    • Part of subcall function 0042CF50: _Yarn.LIBCPMT ref: 0042CF6F
                    • Part of subcall function 0042CF50: _Yarn.LIBCPMT ref: 0042CF93
                  • std::bad_exception::bad_exception.LIBCMT ref: 004097A5
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 004097B3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throwstd::bad_exception::bad_exception
                  • String ID: bad locale name
                  • API String ID: 3706160523-1405518554
                  • Opcode ID: 15a7b32a131201402dd865909ee179b5b16b0a696004c1ae9dab52c47e4665a7
                  • Instruction ID: ffbff063383fe23e94ebe57dbcd2a0e23ae783865e760775647f7c29c34d57b7
                  • Opcode Fuzzy Hash: 15a7b32a131201402dd865909ee179b5b16b0a696004c1ae9dab52c47e4665a7
                  • Instruction Fuzzy Hash: 3CF081326403046BC324FB62F952ADA73649F20714F50493FB406224D2AF78BD1DCA8E
                  Function 004389F5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004389EA,00000003,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002), ref: 00438A15
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00438A28
                  • FreeLibrary.KERNEL32(00000000,?,?,?,004389EA,00000003,?,0043898A,00000003,004619C0,0000000C,00438A9D,00000003,00000002,00000000), ref: 00438A4B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 87515925092e057153ae902580594a0c2c5f5c3ad0d9c3cf281cad2f882ad6bb
                  • Instruction ID: 1f282a31e2d2b3d8d3a5b905a62784bed157f9ed9507b937d6498d621a979c2f
                  • Opcode Fuzzy Hash: 87515925092e057153ae902580594a0c2c5f5c3ad0d9c3cf281cad2f882ad6bb
                  • Instruction Fuzzy Hash: 46F04434A40218BBDF11AF91DC49BAEBFB4EB04715F50406AF905A3260DF745D45CB98
                  Function 00401EFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00401F3D
                  • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F49
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F54
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00401C9F,00000001), ref: 00401F5D
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                  • String ID: KeepAlive | Disabled
                  • API String ID: 2993684571-305739064
                  • Opcode ID: 9216991e524eb423775f2d511b24cf8265e41072f5b84d40bd5b236a793ec886
                  • Instruction ID: 05426b89b39311fc6b1a4499981160552c526912bf77f3db129fae5ba89f8a36
                  • Opcode Fuzzy Hash: 9216991e524eb423775f2d511b24cf8265e41072f5b84d40bd5b236a793ec886
                  • Instruction Fuzzy Hash: 46F0F6719043007FDB103BB59D0E9AA7F98BB07315F00067FF882922E1D6B9881497AA
                  Function 0041348A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 004134BC
                  • PlaySoundW.WINMM(00000000,00000000), ref: 004134CA
                  • Sleep.KERNEL32(00002710), ref: 004134D1
                  • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 004134DA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: PlaySound$HandleLocalModuleSleepTime
                  • String ID: Alarm triggered
                  • API String ID: 614609389-2816303416
                  • Opcode ID: 43da0d24cd9be820e81f49cc6f5c522dd00ea267ab0e19fdf8c6c36e240344da
                  • Instruction ID: d88f56672ffd95dd1f3023d0de0fb03f99ced2c18b84ec6d1a820ca83e35030f
                  • Opcode Fuzzy Hash: 43da0d24cd9be820e81f49cc6f5c522dd00ea267ab0e19fdf8c6c36e240344da
                  • Instruction Fuzzy Hash: 3BE01236F4411077951037AAAD0FCAF2E28DAC7B65742006FFA0557192AD94081596FB
                  Function 0043501A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ea2c0ca77701ee66aca15fca350035c8294e49c267af900b10b39bccae1ff736
                  • Instruction ID: 5c6df0b487007ae904879081ec7617269124ad3821740f4d3d485af116931e8e
                  • Opcode Fuzzy Hash: ea2c0ca77701ee66aca15fca350035c8294e49c267af900b10b39bccae1ff736
                  • Instruction Fuzzy Hash: 4F71D331A00A169BCF21CF98C8846BFBB75FF4A350F2452ABE81167291D7748D41CFA9
                  Function 0043A3B6 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • _free.LIBCMT ref: 0043A4C1
                  • _free.LIBCMT ref: 0043A4D8
                  • _free.LIBCMT ref: 0043A4F7
                  • _free.LIBCMT ref: 0043A512
                  • _free.LIBCMT ref: 0043A529
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$AllocateHeap
                  • String ID:
                  • API String ID: 3033488037-0
                  • Opcode ID: 255d9df6a254b4633535bb750cb6ccd32443d26d05b93512046de53ee7cdbf1d
                  • Instruction ID: b16d38981e88ef72ed12bebeed39b9dcd3fbf5643ff0528eae97547cfcb50721
                  • Opcode Fuzzy Hash: 255d9df6a254b4633535bb750cb6ccd32443d26d05b93512046de53ee7cdbf1d
                  • Instruction Fuzzy Hash: 5B51E131A40204AFDB20DF2ACC42B6B73F4EF5C324F14556EE949D7260E779E9118B8A
                  Function 004394D3 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: e9835ae56a244f5074000d35558d2977c3339b6476f911fa7f099dc8384a9a1a
                  • Instruction ID: 1c4facacc9319b5af637dce9b274d2dc7f4a7e0bc1f07f671580ede517550de4
                  • Opcode Fuzzy Hash: e9835ae56a244f5074000d35558d2977c3339b6476f911fa7f099dc8384a9a1a
                  • Instruction Fuzzy Hash: 0B410232A00210AFDB20DF79C981A5AB7F5EF88314F1545AEE616EB351D774ED01CB84
                  Function 004432FC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00433381,?,00000000,?,00000001,?,?,00000001,00433381,?), ref: 00443349
                  • __alloca_probe_16.LIBCMT ref: 00443381
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004433D2
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004326AF,?), ref: 004433E4
                  • __freea.LIBCMT ref: 004433ED
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                  • String ID:
                  • API String ID: 313313983-0
                  • Opcode ID: ac73b4dbc564fac465e639a70d8e35d3349518101969a2c5831969f2d80d58e6
                  • Instruction ID: 227b09b5a0415fcda7925f72784349bb925bafd8ee503336e3856371f42e8684
                  • Opcode Fuzzy Hash: ac73b4dbc564fac465e639a70d8e35d3349518101969a2c5831969f2d80d58e6
                  • Instruction Fuzzy Hash: CA31F032A0021AABEF249F65DC81EAF7BA5EF00B11F04016AFC04D7250EB39CE50CB94
                  Function 0044152A Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 00441533
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00441556
                    • Part of subcall function 0043B5C6: RtlAllocateHeap.NTDLL(00000000,0042CBAC,?,?,0042E2F7,?,?,5.0.0 Light,?,?,004095E3,0042CBAC,?,?,?,?), ref: 0043B5F8
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044157C
                  • _free.LIBCMT ref: 0044158F
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044159E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 2640d237faaf47cc70c28b7f029483beb7db1d113b1a2b1929460cd6034bb440
                  • Instruction ID: f73c0bf9238608795cb32e4e8d0003afd7538bff95bfb1d2b7ba72dccb9883b4
                  • Opcode Fuzzy Hash: 2640d237faaf47cc70c28b7f029483beb7db1d113b1a2b1929460cd6034bb440
                  • Instruction Fuzzy Hash: 3301D476A016117F732117AA5C88CBB6A7DDEC7BA4314016BFD09C3210DA78CD4285B9
                  Function 0041464E Relevance: 7.5, APIs: 5, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000018,00000000), ref: 00414666
                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000018,00000000), ref: 00414679
                  • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000018,00000000), ref: 00414699
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146A4
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000018,00000000), ref: 004146AC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CloseHandleOpen$FileImageName
                  • String ID:
                  • API String ID: 2951400881-0
                  • Opcode ID: 16a6d8cfbfee2755745b56803ebd396b13524c53808eb881416faea08590364d
                  • Instruction ID: f5ed9c6f9d7783d97b98f553fe4e59a66d132221586fc0b7fa3c6c0a30003d5e
                  • Opcode Fuzzy Hash: 16a6d8cfbfee2755745b56803ebd396b13524c53808eb881416faea08590364d
                  • Instruction Fuzzy Hash: B00149752403056BD610A7949C09FFBB76CDBC6769F100276FA44D32A1EFA88C854A6D
                  Function 00442B8C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00442BA4
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 00442BB6
                  • _free.LIBCMT ref: 00442BC8
                  • _free.LIBCMT ref: 00442BDA
                  • _free.LIBCMT ref: 00442BEC
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: ea4dff25bd54c28631a95cdf9e32d462a3c87d505c88a532845b9ffae75ba0ed
                  • Instruction ID: 2b677973e017b7456cdbcfd4c966873ec84b9437ff3aa36df5ef1351a893ce0f
                  • Opcode Fuzzy Hash: ea4dff25bd54c28631a95cdf9e32d462a3c87d505c88a532845b9ffae75ba0ed
                  • Instruction Fuzzy Hash: 61F04F32404240ABEA20EF69E986D9773FDFAA5320795480AF114D7640DBB8FCC086AC
                  Function 00439722 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 00439740
                    • Part of subcall function 0043BEA5: HeapFree.KERNEL32(00000000,00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000), ref: 0043BEBB
                    • Part of subcall function 0043BEA5: GetLastError.KERNEL32(00000000,?,00442E3F,00000000,00000000,00000000,00000000,?,004430E3,00000000,00000007,00000000,?,0044362E,00000000,00000000), ref: 0043BECD
                  • _free.LIBCMT ref: 00439752
                  • _free.LIBCMT ref: 00439765
                  • _free.LIBCMT ref: 00439776
                  • _free.LIBCMT ref: 00439787
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 870d1761e84191853836d8f5bcf5c4eac0a45a77dcb24126359806675ebc8ac3
                  • Instruction ID: d26ed51eb094939ae4387241796b3820ca6b94c5b119c0c03f17c8d3b7c2945d
                  • Opcode Fuzzy Hash: 870d1761e84191853836d8f5bcf5c4eac0a45a77dcb24126359806675ebc8ac3
                  • Instruction Fuzzy Hash: 33F01DB4412A51CFDB457F18FC424563BB4E74E734B14112BF12456261F7A808698FDE
                  Function 0040D476 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
                  • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0040D5AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Enum$InfoQueryValue
                  • String ID: [regsplt]
                  • API String ID: 3554306468-4262303796
                  • Opcode ID: 3ef2b667b991be9ee52755482a2dbd5bc07ae57db2d272eff767d8c393d4a8ca
                  • Instruction ID: c6e4ca0603a531f3ae889d5de2eae162bb32faec5efd7b55f4c15866cd6b230b
                  • Opcode Fuzzy Hash: 3ef2b667b991be9ee52755482a2dbd5bc07ae57db2d272eff767d8c393d4a8ca
                  • Instruction Fuzzy Hash: F3514D71900219AADB11EBE1DC96EEFB77CAF04304F10017AF605B2181EF786B49CB69
                  Function 004408B9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _strpbrk.LIBCMT ref: 00440908
                  • _free.LIBCMT ref: 00440A25
                    • Part of subcall function 004322E3: IsProcessorFeaturePresent.KERNEL32(00000017,004322B5,00000000,00000000,00467F30,00000000,00000000,00000000,00467F30,?,004322D5,00000000,00000000,00000000,00000000,00000000), ref: 004322E5
                    • Part of subcall function 004322E3: GetCurrentProcess.KERNEL32(C0000417), ref: 00432307
                    • Part of subcall function 004322E3: TerminateProcess.KERNEL32(00000000), ref: 0043230E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                  • String ID: *?$.
                  • API String ID: 2812119850-3972193922
                  • Opcode ID: a8b92bf08f0cfa7e9facfc28388615578e418344234b08a946953fb2a66d511f
                  • Instruction ID: 9fffe9e5b2cccac2811af7b364faccd8b700eecf7a76a2a5a388f77b9ad2ae92
                  • Opcode Fuzzy Hash: a8b92bf08f0cfa7e9facfc28388615578e418344234b08a946953fb2a66d511f
                  • Instruction Fuzzy Hash: 6B51D171E00209EFEF14DFA9C881AAEF7B5EF98314F24416EE544E7301E6799E118B54
                  Function 00437E45 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                  Download Yara Rule
                  APIs
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437F9E
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00437FB3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                  • String ID: ~C$ ~C
                  • API String ID: 885266447-903778833
                  • Opcode ID: 66b4d4b1bf1e79b8032c6644e9e345940b330c16ba83ada0981b87e367946d73
                  • Instruction ID: cb442a11e599da5c690acaa02b9a0632f92e669d80b169b7daead3c9ed003e5d
                  • Opcode Fuzzy Hash: 66b4d4b1bf1e79b8032c6644e9e345940b330c16ba83ada0981b87e367946d73
                  • Instruction Fuzzy Hash: A451AEB1A04149AFCF24CF59C884AAEBBB2FF88364F19819AF85897361D735DD01CB44
                  Function 004043A7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: <$S@@<
                  • API String ID: 0-2148528575
                  • Opcode ID: 96d8b63d7d5fac6b5416afa671e72d341464fef38aa46b057e5c69fc7c6bad02
                  • Instruction ID: 1de478b76fd8c0d77115a3783af98f4c9c649dc9e6c06432943695562a8f0642
                  • Opcode Fuzzy Hash: 96d8b63d7d5fac6b5416afa671e72d341464fef38aa46b057e5c69fc7c6bad02
                  • Instruction Fuzzy Hash: B341A571900218ABCB15EBA1D986AEEB374AF44714F20406FF602B71D1EFB81E45CB59
                  Function 00401F7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                  Download Yara Rule
                  APIs
                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00401F7A), ref: 00401F96
                  • CloseHandle.KERNEL32(?), ref: 00401FED
                  • SetEvent.KERNEL32(?), ref: 00401FFC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandleObjectSingleWait
                  • String ID: Connection Timeout
                  • API String ID: 2055531096-499159329
                  • Opcode ID: ae5bc6e26d28bd96e34e00aad8011417cdc6de2e214e1c40e182376b639a4296
                  • Instruction ID: 4132f8b51f10a03e2f6dde1d6e0fb76fb6a2fdef53c168242a3f39f5db6f161b
                  • Opcode Fuzzy Hash: ae5bc6e26d28bd96e34e00aad8011417cdc6de2e214e1c40e182376b639a4296
                  • Instruction Fuzzy Hash: 9F01D431A84B41AFD7256B768C9686ABBE1BF05306700097FE58352AB1DBB89800DB59
                  Function 00409FC3 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 0040A031
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Exception@8Throw
                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                  • API String ID: 2005118841-1866435925
                  • Opcode ID: e704f714e4679a7b451c4a3b6f3721c3965dc6a755d26d75ca4b81400ef99aec
                  • Instruction ID: 3108494a97143dcb30bf540093841c5617afb240aa1655eecc42209d4e30229e
                  • Opcode Fuzzy Hash: e704f714e4679a7b451c4a3b6f3721c3965dc6a755d26d75ca4b81400ef99aec
                  • Instruction Fuzzy Hash: 9A01DB6164030CAAEB14EA51C843FBA73685B0070AF20803BB906B50C3EA7C6C56872F
                  Function 0040F7EC Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                  Download Yara Rule
                  APIs
                  • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0040F82E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell
                  • String ID: /C $cmd.exe$open
                  • API String ID: 587946157-3896048727
                  • Opcode ID: 9f634ed811d01c93b01b9f4d912010342c3c0bed2ecdf687d27e1c27c34cfd06
                  • Instruction ID: b9b5919498ba485fb8f6930109a7034d9cba9b0480c4b6652f0920fc7d9d687c
                  • Opcode Fuzzy Hash: 9f634ed811d01c93b01b9f4d912010342c3c0bed2ecdf687d27e1c27c34cfd06
                  • Instruction Fuzzy Hash: D7F062311082016AC215FB22D8569BFB7A9ABD1705F00483FB546A20D2EF7C5A4ED61E
                  Function 0040D0A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,75920F10), ref: 0040D0CE
                  • RegQueryValueExW.ADVAPI32(?,del,00000000,00000000,?,00000400), ref: 0040D0EF
                  • RegCloseKey.ADVAPI32(?), ref: 0040D0F8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID: del
                  • API String ID: 3677997916-3960539263
                  • Opcode ID: 88088da061e935542d602ed9a60ee80de08d29cd97cf1e62666c939df0226ecc
                  • Instruction ID: c651590824b85597b39781336d71b7838d7c867fbe8f572be816a2f15c875255
                  • Opcode Fuzzy Hash: 88088da061e935542d602ed9a60ee80de08d29cd97cf1e62666c939df0226ecc
                  • Instruction Fuzzy Hash: 9EF06275A40218FBDB109B90DC06FDD7B7CEB04705F2000B6BA45F6191DBB46E499BD8
                  Function 0044A0E4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID:
                  • API String ID: 269201875-0
                  • Opcode ID: fa5d2a8faf2fe628d058e6a4fe2f0af0d4f8ff292432a2b74dc80dafd4f9834b
                  • Instruction ID: 3ef33ea84dd1cf6f344852fb1a73c90a82761da2feee4d6795020f546570a538
                  • Opcode Fuzzy Hash: fa5d2a8faf2fe628d058e6a4fe2f0af0d4f8ff292432a2b74dc80dafd4f9834b
                  • Instruction Fuzzy Hash: D9411E31A801006BF7216ABA8C46AAF37A8FF49374F14019BF428D6391D67D4951966F
                  Function 00401AEF Relevance: 6.1, APIs: 4, Instructions: 128synchronizationthreadCOMMON
                  Download Yara Rule
                  APIs
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,000000FF,00000000,00000000,?), ref: 00401BDC
                  • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00401BEF
                  • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,00401AC2,00000000,?,?,?,00000000,00000000), ref: 00401BFA
                  • CloseHandle.KERNEL32(?,?,?,?,?,?,00401AC2,00000000,?,?,?,00000000,00000000), ref: 00401C03
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Create$CloseEventHandleObjectSingleThreadWait
                  • String ID:
                  • API String ID: 3360349984-0
                  • Opcode ID: 2816b86d6f7458ba1161e834096ab8bc7bd248e1979f12b57ffdc3d931af871e
                  • Instruction ID: 966eea02b2a93e457dd0c13575889c4ab86b932002f96d98d8ed952a890acd02
                  • Opcode Fuzzy Hash: 2816b86d6f7458ba1161e834096ab8bc7bd248e1979f12b57ffdc3d931af871e
                  • Instruction Fuzzy Hash: B9417171A00318ABDF11EBA1CD459EEB7BDAF14328F04013AF952B32D1DB78A905C764
                  Function 004084F3 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • Cleared browsers logins and cookies., xrefs: 004085DC
                  • [Cleared browsers logins and cookies.], xrefs: 004085CB
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep
                  • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                  • API String ID: 3472027048-1236744412
                  • Opcode ID: aaa965d27c1f7c76d1c1fe5b5e673f2742d7c9977007ba8c415083749b236131
                  • Instruction ID: 20defb9733c1219c4c8a2599ca5aef24f296d1e236a042d3d024b8038190efd8
                  • Opcode Fuzzy Hash: aaa965d27c1f7c76d1c1fe5b5e673f2742d7c9977007ba8c415083749b236131
                  • Instruction Fuzzy Hash: CD31A41464C38079C61167B51E567AB7B910A93758F09487FE8C42B3C3DDBA4809936F
                  Function 00413DA0 Relevance: 6.1, APIs: 4, Instructions: 65timesleepCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTimes.KERNEL32(?,?,?,00468138,?,00467C58), ref: 00413DB5
                  • Sleep.KERNEL32(000003E8,?,00467C58), ref: 00413DC0
                  • GetSystemTimes.KERNEL32(?,?,?,?,00467C58), ref: 00413DD2
                  • __aulldiv.LIBCMT ref: 00413E38
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: SystemTimes$Sleep__aulldiv
                  • String ID:
                  • API String ID: 188215759-0
                  • Opcode ID: af12388a144a6519f74332cc38b033842487ffc626d7b6449c11266e36e9a79f
                  • Instruction ID: 664e20bae110cd4fa9275364a011bdc36a99db3762e2da6226042cd1183b7a6f
                  • Opcode Fuzzy Hash: af12388a144a6519f74332cc38b033842487ffc626d7b6449c11266e36e9a79f
                  • Instruction Fuzzy Hash: DC115E77E00318AADB04EBF9DC85DFEB77CAB48644F05062AF605F3140ED385A488AA4
                  Function 004390EE Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 58266adce5fe98948b2ae2cdcb5eb7aac101841803ca74cd59dc5555995d5507
                  • Instruction ID: e293933edf47bc404921b9782ae6bdf2530dae4187b182b77bf7cc4bdb1aff01
                  • Opcode Fuzzy Hash: 58266adce5fe98948b2ae2cdcb5eb7aac101841803ca74cd59dc5555995d5507
                  • Instruction Fuzzy Hash: E701A2B26096173EFA2016796CC9F67235DDB993B9F31232BF621612D1DBA8CC014169
                  Function 0043916D Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d9484003af8c7f76f3537911751fc69ba13e48c1f0aa44cd003a8177e25c73c8
                  • Instruction ID: 4c4e0230044f540d0dfa141600ad540ca831ff66076231662328a578ba525b5c
                  • Opcode Fuzzy Hash: d9484003af8c7f76f3537911751fc69ba13e48c1f0aa44cd003a8177e25c73c8
                  • Instruction Fuzzy Hash: 8201D6B26092133EBB1016796CC5E6B735CEF993B9B24233BF535612D1DBB8CC404169
                  Function 0043D017 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0043CFBE,00000000,00000000,00000000,00000000,?,0043D2EA,00000006,FlsSetValue), ref: 0043D049
                  • GetLastError.KERNEL32(?,0043CFBE,00000000,00000000,00000000,00000000,?,0043D2EA,00000006,FlsSetValue,00453058,00453060,00000000,00000364,?,0043C6D6), ref: 0043D055
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0043CFBE,00000000,00000000,00000000,00000000,?,0043D2EA,00000006,FlsSetValue,00453058,00453060,00000000), ref: 0043D063
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 595891c980301c2c73905729bbe73c7249954adc15224a50436924359eb8ce7d
                  • Instruction ID: a0defaa7bfad2e823c90b49b53e3435581b1221e674054a2feddefd619599400
                  • Opcode Fuzzy Hash: 595891c980301c2c73905729bbe73c7249954adc15224a50436924359eb8ce7d
                  • Instruction Fuzzy Hash: 5901FC36F012229BC7254B68BC44A577768AF0DF69F100632F916D7240D724D803C6EC
                  Function 00414995 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149B2
                  • GetFileSize.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149C6
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,004108FA), ref: 004149EB
                  • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,?,004108FA), ref: 004149F9
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleReadSize
                  • String ID:
                  • API String ID: 3919263394-0
                  • Opcode ID: 0908160d546d984776c4034bd17207c1f934702e7f6a1384d07143587f6b8751
                  • Instruction ID: f0ddd2d46cb65e41b6d6a3277f6bfdf1228b339456a25c00275a264c9c935e20
                  • Opcode Fuzzy Hash: 0908160d546d984776c4034bd17207c1f934702e7f6a1384d07143587f6b8751
                  • Instruction Fuzzy Hash: 5501D6B5941108BFE7105B759C89EFF776CEB86394F10026AFD01A3280CA755E059674
                  Function 0041227E Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(0000004C), ref: 0041228E
                  • GetSystemMetrics.USER32(0000004D), ref: 00412294
                  • GetSystemMetrics.USER32(0000004E), ref: 0041229A
                  • GetSystemMetrics.USER32(0000004F), ref: 004122A1
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: MetricsSystem
                  • String ID:
                  • API String ID: 4116985748-0
                  • Opcode ID: dc41238271d61d062b424b9f78800828ee9edd3412daac05195af5ccd8a0ba4b
                  • Instruction ID: 734442f2042c8065209044c06ea4daf6e2b581a17a484543afd8213bfd6dd57c
                  • Opcode Fuzzy Hash: dc41238271d61d062b424b9f78800828ee9edd3412daac05195af5ccd8a0ba4b
                  • Instruction Fuzzy Hash: 7801AC71F002286BCB109FA9CC41AAD7BA5DF44760F10406BFE0CEB340D9B8AD4147C8
                  Function 0042FA1E Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • ___BuildCatchObject.LIBVCRUNTIME ref: 0042FA35
                    • Part of subcall function 0043006D: ___AdjustPointer.LIBCMT ref: 004300B7
                  • _UnwindNestedFrames.LIBCMT ref: 0042FA4C
                  • ___FrameUnwindToState.LIBVCRUNTIME ref: 0042FA5E
                  • CallCatchBlock.LIBVCRUNTIME ref: 0042FA82
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                  • String ID:
                  • API String ID: 2633735394-0
                  • Opcode ID: 6a7b41a67f6b5d6162d44e2b17d28e3b82f582da003bb732735d339659016d48
                  • Instruction ID: a384c467a5cf0005642e118325ee09c1ca88ba2ea93b3fe8868d3066c3d62e86
                  • Opcode Fuzzy Hash: 6a7b41a67f6b5d6162d44e2b17d28e3b82f582da003bb732735d339659016d48
                  • Instruction Fuzzy Hash: C3011732100119BBCF12AF96DC01EDA7FBAFF48754F55412AF91861120C37AE861ABA8
                  Function 0042E723 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0042E723
                  • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 0042E728
                  • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0042E72D
                    • Part of subcall function 00431D75: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00431D86
                  • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0042E742
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                  • String ID:
                  • API String ID: 1761009282-0
                  • Opcode ID: 56622d154af70104b395c77cc287e29f40d35fe8c70cadda5cf720b00b0514e6
                  • Instruction ID: 013349ac7a2fe7e9152e47b6c51a3b7e8f8268fb679fa9501f4f8a9e11b9c919
                  • Opcode Fuzzy Hash: 56622d154af70104b395c77cc287e29f40d35fe8c70cadda5cf720b00b0514e6
                  • Instruction Fuzzy Hash: E4C04C04704125606DA57AB772031AE43201CEB3CCFD474DBE8521712BDD0E241B553F
                  Function 0043BC9D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                  Download Yara Rule
                  APIs
                  • __startOneArgErrorHandling.LIBCMT ref: 0043BD2D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorHandling__start
                  • String ID: pow
                  • API String ID: 3213639722-2276729525
                  • Opcode ID: 38187daa67ab9e37275724fcbbdf11ac224d73fef389725b2515faf0432880bd
                  • Instruction ID: 2fbfe7b6d49e86fd3dc1b6acd5d8ee94abeffcde9bfe552af4cad49e3d2ca66b
                  • Opcode Fuzzy Hash: 38187daa67ab9e37275724fcbbdf11ac224d73fef389725b2515faf0432880bd
                  • Instruction Fuzzy Hash: B951BC61A0460196EB117B18C9813AB2B90DB45B41F209D6FF1D5863AAEF3C8CD59E8F
                  Function 00421E39 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memcmp
                  • String ID: 0B
                  • API String ID: 2931989736-2745533139
                  • Opcode ID: dde02da2657a13ac2c474c204eb5deeae0ef938a7f7fe63f8f2d8705779ed6d0
                  • Instruction ID: c353d1a7b62108d64f5f19d3a53e18fe02b6802cfcab92c213679ae9b53e50ff
                  • Opcode Fuzzy Hash: dde02da2657a13ac2c474c204eb5deeae0ef938a7f7fe63f8f2d8705779ed6d0
                  • Instruction Fuzzy Hash: E451B631B00622ABCB21CF66DA80A7BF7B5FF64310B56812ADD5997321D735ED11CB88
                  Function 0040D72E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00020019,?), ref: 0040D763
                    • Part of subcall function 0040D476: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 0040D4DD
                    • Part of subcall function 0040D476: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 0040D50C
                    • Part of subcall function 004018E7: send.WS2_32(?,00000000,00000000,00000000), ref: 0040195A
                  • RegCloseKey.ADVAPI32(?,00459594,00459594,0045962C,0045962C), ref: 0040D8B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEnumInfoOpenQuerysend
                  • String ID: X|F
                  • API String ID: 3114080316-2178643013
                  • Opcode ID: f89718502645b7ab19a5bbbab08464fad555f615672693b7c00859fef62b1d15
                  • Instruction ID: 8116fabb2d85eb0cd33b9d71b80c948f76b574c3f971d7d1f6fc2c92bebc6ff4
                  • Opcode Fuzzy Hash: f89718502645b7ab19a5bbbab08464fad555f615672693b7c00859fef62b1d15
                  • Instruction Fuzzy Hash: E641BE71A002285ACB04F776DCA6AEE77649F51308F40817FF60A771D2EF781E89C65A
                  Function 0040424F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: E@@
                  • API String ID: 0-263559340
                  • Opcode ID: 459347a91358f46872176e380f669f73c4093dfe1cd6feb0cca5c06579f60336
                  • Instruction ID: f03ecd794946583929f208bd859942677592bdc48cb2f3ff9744e4cd59c4d472
                  • Opcode Fuzzy Hash: 459347a91358f46872176e380f669f73c4093dfe1cd6feb0cca5c06579f60336
                  • Instruction Fuzzy Hash: 4F41B471A00208ABCB14EBA1D996AEEB374AF44318F20406FF602771C1EF785E44CB59
                  Function 004044FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 00404544
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000002,00000001,00000000), ref: 0040456A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExtendedTable
                  • String ID: a@@
                  • API String ID: 2407854163-821130896
                  • Opcode ID: 403b7417141a6e3ab0469ce16749893ad844add1f190e6520086f4a8e01444fb
                  • Instruction ID: 8fc58d0faab8546e2ae9b4570367c64f21be51e55399899536b09486aaef41c4
                  • Opcode Fuzzy Hash: 403b7417141a6e3ab0469ce16749893ad844add1f190e6520086f4a8e01444fb
                  • Instruction Fuzzy Hash: 88318471A00218ABCB14EBA1DD969EEB374AF44304F20446FF702771D1EFB95E45CA59
                  Function 0040463C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000017,00000001,00000000), ref: 00404681
                  • GetExtendedUdpTable.IPHLPAPI(00000000,?,00000001,00000017,00000001,00000000), ref: 004046A7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExtendedTable
                  • String ID: l@@
                  • API String ID: 2407854163-942269891
                  • Opcode ID: 2e96147060371ac98eed0650a99ef5ed7475b9f0c053ad1149b626ce4cc91f18
                  • Instruction ID: 2ec4b1d0b07e77987f732c33211abe948ea1a39192b25ce75c5c0795d41247b7
                  • Opcode Fuzzy Hash: 2e96147060371ac98eed0650a99ef5ed7475b9f0c053ad1149b626ce4cc91f18
                  • Instruction Fuzzy Hash: 86318471A00218AACB14EBA1D985AEEB378AF44704F20406FF702771D1EFB85E45CB59
                  Function 004119A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 004119D0
                    • Part of subcall function 00411573: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00411589
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 00411A15
                    • Part of subcall function 004115EB: GdipSaveImageToStream.GDIPLUS(?,?,?,?), ref: 004115FD
                    • Part of subcall function 00411599: GdipDisposeImage.GDIPLUS(?,0041154D), ref: 004115A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                  • String ID: image/jpeg
                  • API String ID: 1291196975-3785015651
                  • Opcode ID: f1760caa1cc837f2a22b7184847d6685a1f39e41d9d40200acebcfd92b9434fc
                  • Instruction ID: ef5b11e11035bddaf631a761f834e810763e5e11838f5a19257ff1a0f99910ce
                  • Opcode Fuzzy Hash: f1760caa1cc837f2a22b7184847d6685a1f39e41d9d40200acebcfd92b9434fc
                  • Instruction Fuzzy Hash: 35318B31900218AFCB01EFA4CC84DEEBBB9EF49314F10406AF906E7251DB74AE45CBA4
                  Function 00443D07 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00443F62,?,00000050,?,?,?,?,?), ref: 00443DE2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: ACP$OCP
                  • API String ID: 0-711371036
                  • Opcode ID: b463a79c31a7c10f4098bdec5a78729edffff5adbcbc4555e4af9816c6e94504
                  • Instruction ID: f3f47050c9d98aff9bb1a4a1382f066ea7fa27275a19905ea58b4da3876d1d77
                  • Opcode Fuzzy Hash: b463a79c31a7c10f4098bdec5a78729edffff5adbcbc4555e4af9816c6e94504
                  • Instruction Fuzzy Hash: BA21F1A2E00100A6FB248E148902BD772A6EF54F63F56846AED09D7304E73AEF01C358
                  Function 00411A97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                  Download Yara Rule
                  APIs
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 00411AB5
                    • Part of subcall function 00411573: GdipLoadImageFromStream.GDIPLUS(?,?), ref: 00411589
                  • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,00000000), ref: 00411AD8
                    • Part of subcall function 004115EB: GdipSaveImageToStream.GDIPLUS(?,?,?,?), ref: 004115FD
                    • Part of subcall function 00411599: GdipDisposeImage.GDIPLUS(?,0041154D), ref: 004115A2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                  • String ID: image/png
                  • API String ID: 1291196975-2966254431
                  • Opcode ID: bae890b8d3371da378f3e37d71e19cd327cf3b67a299fcfbf9a2e0d8530876e7
                  • Instruction ID: 3d3f12b83bccf21c12e870e82d42f33b435d328513d3b2a06635348d3a180fbc
                  • Opcode Fuzzy Hash: bae890b8d3371da378f3e37d71e19cd327cf3b67a299fcfbf9a2e0d8530876e7
                  • Instruction Fuzzy Hash: EB217C35A00128BBCB11EBA5CC89CEEBBBDFF49315B10015AF606A3251DB745945CBA5
                  Function 00401E12 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetLocalTime.KERNEL32(?), ref: 00401E49
                    • Part of subcall function 00413B81: GetLocalTime.KERNELBASE(00000000), ref: 00413B9B
                  • GetLocalTime.KERNEL32(?), ref: 00401EA1
                  Strings
                  • KeepAlive | Enabled | Timeout: , xrefs: 00401E3E
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: LocalTime
                  • String ID: KeepAlive | Enabled | Timeout:
                  • API String ID: 481472006-1507639952
                  • Opcode ID: d95bc88be679ab2795d1e3ee3956b9446fa9e4b61f9f08a43b0abdd1d014c7d8
                  • Instruction ID: b6501f059e2151b164add168212f41ddb3557997af1fb79251cdb559bb53ca58
                  • Opcode Fuzzy Hash: d95bc88be679ab2795d1e3ee3956b9446fa9e4b61f9f08a43b0abdd1d014c7d8
                  • Instruction Fuzzy Hash: 6921D172E0414067CB00B7BADD0A7EE7B645792349F54417EEC01232E2EEB85949C7AB
                  Function 00433DBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: _free
                  • String ID: XAF
                  • API String ID: 269201875-3946003707
                  • Opcode ID: 56830ea015d4febb486afa971ba8605d51d7b7488d7a89142c8e124551d8de94
                  • Instruction ID: 789fddf153a2b0b51eb9e63a47b227dc4857ab3bce67e7ee6682b2e599235b10
                  • Opcode Fuzzy Hash: 56830ea015d4febb486afa971ba8605d51d7b7488d7a89142c8e124551d8de94
                  • Instruction Fuzzy Hash: 1111E9B1A1070046E7209F2DAC06B5673949758B74F142227FA24CB3D0F3F8DD814B8E
                  Function 00414062 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountInfoInputLastTick
                  • String ID: X|F
                  • API String ID: 3478931382-2178643013
                  • Opcode ID: b385247edad76a24db9e68dfc1a14740e99aba5bcf4cd9ea178d25a246bab336
                  • Instruction ID: 171dbf0f5cfc22f21d8f68f6b7b2537727de2b88679f19cea7dddd8e5cbb1d76
                  • Opcode Fuzzy Hash: b385247edad76a24db9e68dfc1a14740e99aba5bcf4cd9ea178d25a246bab336
                  • Instruction Fuzzy Hash: 98D0127580020CFFDB14DFE4DD4D99DBFBCEB01216F0042E9EC0593210EE726A448AA9
                  Function 004414DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: CommandLine
                  • String ID: `&Y
                  • API String ID: 3253501508-1728018502
                  • Opcode ID: c620394f5d1b9bf4637b650a4de936f6e21da032e0472d8adac7ed1a9cf7b1b1
                  • Instruction ID: a600d860b0c4cf1ddb3afff28266f5757275fc974c8ace73b2f197ab6eb82cba
                  • Opcode Fuzzy Hash: c620394f5d1b9bf4637b650a4de936f6e21da032e0472d8adac7ed1a9cf7b1b1
                  • Instruction Fuzzy Hash: 02B092FCD01640CFD7009F30B80C0083FA0B60A3127C041B6DC05C2328E7740008CF09
                  Function 0043490A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 004349A0
                  • GetLastError.KERNEL32(?,?), ref: 004349AE
                  • MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?), ref: 00434A09
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$ErrorLast
                  • String ID:
                  • API String ID: 1717984340-0
                  • Opcode ID: 11f973e380e1e97874fd796f57fcd641ccecc41f1c0becbf414744d79cde42ba
                  • Instruction ID: e009d7546e55733e8e71cd5b89f7b57e1fa12a08878b1e74594c44e6a6326e64
                  • Opcode Fuzzy Hash: 11f973e380e1e97874fd796f57fcd641ccecc41f1c0becbf414744d79cde42ba
                  • Instruction Fuzzy Hash: B4410935A00201AFDF219F65C844BFBBBA4EFCA310F1451AAF859572A1D738AD01C75C
                  Function 0040C9C0 Relevance: 5.1, APIs: 4, Instructions: 125COMMON
                  Download Yara Rule
                  APIs
                  • IsBadReadPtr.KERNEL32(?,00000014,00000001,00000000,?,?,?,?,0040CD60), ref: 0040C9EE
                  • IsBadReadPtr.KERNEL32(?,00000014,?,0040CD60), ref: 0040CAC3
                  • SetLastError.KERNEL32(0000007F), ref: 0040CADE
                  • SetLastError.KERNEL32(0000007E,?,0040CD60), ref: 0040CAF7
                  Memory Dump Source
                  • Source File: 00000000.00000002.4472925080.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.4472913566.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473028591.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000464000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473046240.0000000000467000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.4473111139.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_SXQdCnmxiH.jbxd
                  Yara matches
                  Similarity
                  • API ID: ErrorLastRead
                  • String ID:
                  • API String ID: 4100373531-0
                  • Opcode ID: 2107795d61710c673144fc153abc3f8462d2ce2fa3ff22c3decacbf6cad935fe
                  • Instruction ID: e1be155fad3850883f817a0f1cca8f73026838c0112b34f29781b835d56552cf
                  • Opcode Fuzzy Hash: 2107795d61710c673144fc153abc3f8462d2ce2fa3ff22c3decacbf6cad935fe
                  • Instruction Fuzzy Hash: 08416671B00209DFDB24CF99D884B6AB7F5EF48310F10856AE506A7291EB78E801CF54